5 best practices to avoid the pain of a health care data breach

Prevention is best medicine for organizations, patients and employees to protect personal records

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Researchers agree—health care is now one of the top three tar­gets for cyber attack­ers. No mat­ter what type of health care facil­i­ty you work in—a large research hos­pi­tal, clin­ic, region­al med­ical cen­ter, health insur­ance com­pa­ny, or a com­pa­ny that pro­vides busi­ness or clin­i­cal ser­vices for health care—the data you work with is worth mil­lions of dol­lars on the dark web. And attack­ers can hold a hos­pi­tal hostage, almost instant­ly halt oper­a­tions, and dis­rupt crit­i­cal med­ical processes.

Unlike finan­cial data, with its built-in mech­a­nisms for stop­ping sus­pi­cious pay­ments and pro­tect­ing accounts, per­son­al med­ical data is immutable. Once it is stolen, the indi­vid­u­als to whom it right­ful­ly belongs are at risk for iden­ti­ty theft, imper­son­ation and finan­cial fraud, with­out any way to pro­tect themselves.

For health care orga­ni­za­tions, data breach costs are high, aver­ag­ing $355 per lost or stolen record, as com­pared to the costs for data theft from edu­ca­tion­al ($246), research ($112), and pub­lic sec­tor enti­ties ($80), accord­ing to Ponemon Institute’s “2016 Cost of Data Breach Study: Glob­al Analy­sis.” More­over, breached orga­ni­za­tions often are sub­ject­ed to law­suits, which can run costs into mil­lions of dol­lars. Breach­es also can ruin an organization’s rep­u­ta­tion and destroy client trust.

Relat­ed sto­ry: Cyber crim­i­nals fol­low the mon­ey … to your health care data

Health care orga­ni­za­tions should con­sid­er cyber pro­tec­tion a top pri­or­i­ty. For max­i­mum effi­ca­cy, it is best to approach cyber pro­tec­tion holistically.

For­tu­nate­ly, imple­ment­ing secu­ri­ty best prac­tices imme­di­ate­ly reduces the risk of cyber com­pro­mise through­out the orga­ni­za­tion. The five prac­tices described here per­mit hos­pi­tal CISOs, CIOs, secu­ri­ty team, and IT teams to start pro­tect­ing valu­able data.

Train employ­ees

Tech­ni­cal, admin­is­tra­tive, and clin­i­cal staff must under­stand the impor­tance of prac­tices such as nev­er shar­ing pass­words; avoid­ing the use of default pass­words and sys­tem con­fig­u­ra­tions; chang­ing pass­words reg­u­lar­ly; patch­ing sys­tems to remain cur­rent; learn­ing to spot sus­pi­cious emails, and not click­ing on embed­ded email links or attach­ments. Reg­u­lar fol­low-up train­ing should make sure best prac­tices are fol­lowed and adapt­ed as the threat land­scape changes.

Encrypt data

Data should be encrypt­ed, both in tran­sit over the net­work or in email, and while stored, using Trans­port Lay­er Secu­ri­ty (TLS) 1.2 or high­er and AES 256 or high­er. Data encryp­tion pro­tects against attack­ers who man­age to breach oth­er defens­es and against man-in-the-mid­dle attacks, in which a mali­cious actor inter­cepts com­mu­ni­ca­tions to gain access to sen­si­tive data.

Back up everything 

Data back­ups are cru­cial, espe­cial­ly to com­bat aggres­sive ran­somware attacks. The only way to return sys­tems and devices to nor­mal after a suc­cess­ful ran­somware attack is to restore from a clean back­up. Back up busi­ness, med­ical, device, email and oth­er data on a reg­u­lar sched­ule, and keep back­ups in mul­ti­ple phys­i­cal locations.

Per­form reg­u­lar scanning

Health care orga­ni­za­tions must reg­u­lar­ly scan their net­works, work­sta­tions, mobile devices, and appli­ca­tions against known vul­ner­a­bil­i­ties. Cyber attacks can enter through an organization’s net­work, wire­less net­work, appli­ca­tions, devices and the phys­i­cal envi­ron­ment itself. Unlike an enter­prise into which only badged per­son­nel or approved vis­i­tors can enter, any­one can walk into a hos­pi­tal. Vis­i­tors can eas­i­ly hear a con­ver­sa­tion while stand­ing in line, look over mate­ri­als sit­ting out in the open, and even plug a USB device into a wheeled nurse’s cart or oth­er acces­si­ble device. High risk also is asso­ci­at­ed with any text, chat and email mes­sages that the orga­ni­za­tion sends patients on their mobile devices.

Con­duct reg­u­lar threat modeling

Threat mod­el­ing and pen­e­tra­tion test­ing exer­cis­es describe cur­rent threats and reveal how attack­ers can tar­get your orga­ni­za­tion. They iden­ti­fy sys­tems that can be lever­aged to exploit vul­ner­a­bil­i­ties and poten­tial entry points into net­works, appli­ca­tions and devices. And they help an orga­ni­za­tion effec­tive­ly address weak­ness­es. Threat mod­el­ing and pen­e­tra­tion exer­cis­es should be repeat­ed regularly.

Putting basics in place

The secu­ri­ty best prac­tices described here pro­vide orga­ni­za­tions with robust and proven pro­tec­tion against cyber theft of health care data. By imple­ment­ing these prac­tices, health care facil­i­ties and orga­ni­za­tions will sig­nif­i­cant­ly improve their secu­ri­ty pos­tures with­out com­pro­mis­ing ser­vices for patients and their families.

More sto­ries about pro­tect­ing health care data:
Time for health care indus­try to give its data secu­ri­ty a checkup
Med­ical records theft is a plague on health care, oth­er industries
Com­pro­mised patient data sets off a new health care crisis