By Rene Kolga
St. Elsewhere, ER, Grey’s Anatomy, Chicago Med, Code Black – those are just some of the many TV dramas about the life-and-death situations that occur in hospital emergency rooms. While I haven’t seen every episode of every series, I’m confident none ever devoted a single show to the information security professionals who fight to keep protected health information (PHI) out of the hands of cyber thieves. It might make for a compelling pilot pitch to a TV studio, because cyber attacks against healthcare providers is a global epidemic.
The month of July alone was full of bad news regarding healthcare industry breaches. The annual Ponemon Cost of a Data Breach Report revealed that breaches cost the sector about $408 per patient record (up from $380 last year) – that’s more than $200 higher than the nearest industry average. Even more concerning: the meantime to identify and a breach and to contain a breach at 255 days and 103 days, respectively. That’s unacceptable.
In just over a week, we’ve seen reports of multiple healthcare organizations around the world suffer serious breaches, including:
- Singapore: In what may be the biggest data breach in the country’s history, 1.5 million members of SingHealth, Singapore’s largest network of healthcare facilities, had their their personal data exposed.
- Canada: Detailed medical histories and other confidential information of more than 80,000 patients in Ontario are being held for ransom by thieves who recently raided the computer systems of a healthcare provider. The attackers are so brazen that they even announced their demands on the Canadian Broadcasting Corporation’s CBC News program, and provided a sample of the data they have accessed.
- A breach at Boys Town National Research Hospital is the largest ever reported by a pediatric care provider or children’s hospital, according to the federal health data breach tally. Data on approximately 105,000 individuals, including young patients, was exposed.
- Healthcare diagnostics company LabCorp had to shut down its IT systems after a suspected network breach that may have placed millions of health records at risk.
- Missouri-based Blue Springs Family Care reported a breach of nearly 45,000 patient records after hackers launched a variety of malware against it, including ransomware.
However, there is some good news. In her July 9th DataBreachToday article “Why Cybersecurity Is Critical to Healthcare Innovation,” Marianne Kolbasuk McGee reported that the Department of Health and Human Services (HHS) is exploring how to spur innovation and investment in the healthcare sector, and hardening the industry’s cybersecurity posture is among its top issues.
Back to my TV show theme, to paraphrase what news anchor Will McAvoy said in the first episode of The Newsroom, the first step to solving a problem is recognizing there is one. And the healthcare industry realizes it has a problem. After all, churn rate of customers after a breach for a healthcare organization is 6.7%, almost double the average across all industries, according to Ponemon’s study.
There are a few key steps any healthcare organization can take to better protect PHI. First, hold regular training sessions for employees, not just once during the onboarding process or an annual “check the box” one. Phishing and other email-borne attacks are so common because they remain so effective in tricking people into clicking on links or opening file attachments that launch attacks. Email remains the attackers’ favorite entry point.
Second, be religious about keeping up with software patches. Just take a look at this picture I took during a recent visit to my primary care physician’s office — Not only has the office’s AV subscription expired, but their PCs are still running a long unsupported Windows XP! The quality of care I receive from my doctor is excellent, but I worry about the health of medical records…
Finally, while robust vulnerability and patch management practices are the 80/20 rule of security, you also need to end the sole reliance on endpoint protection products that only work to keep the “bad guys” out.
As I wrote in an previous post about NSS Labs’ recent evaluations of 20 Advanced Endpoint Protection (AEP) solutions, their collective inability to block unknown threats demonstrates the need to adopt a multi-layered defense approach to endpoint security. That requires not just looking for what is bad, but also leveraging a complementary solution such as Nyotron’s PARANOID that focuses on a finite set of good behaviors to proactively keep up with the ever-increasing volume of new, never-seen-before, evasive, and fileless malware threats.