Guest Column | November 3, 2015

A Plague Of Data Breaches Leaves Healthcare Vulnerable

3 Measures To Take Now That Can Help Your IT Clients If They Are Breached

By Kevin Ketts, VP of Strategy and Operations, NopSec

The surge in cyber-attacks targeting healthcare continues unabated. In 2015, healthcare records accounted for more than one-third of the total records compromised in data breaches. According to the Ponemon Institute, the healthcare industry witnessed a 125 percent increase in breaches in the last five years, at a cost of $6 billion a year. But why the healthcare industry, and why now?

There are many reasons pointing to the rapid swell of cyber-attacks. Today, healthcare finds itself walking in the same shoes as the financial industry of a decade ago. As more banking services moved to the Web and user adoption of the online channel increased, so did the number of attacks. Healthcare is experiencing the same trajectory, except the attack surface is larger and extends beyond just the Web to include mobile and cloud.  

Next, healthcare organizations were late adopters of digital technology and only started to move to EHRs in recent years. The mandate to roll out these technologies was quick and didn’t allow time for cyber security to be considered. Therefore, many organizations were left with no choice but to take a “bolt on” strategy rather than building in security controls from the start. Even if it is a priority, information security has traditionally accounted for only a small portion of overall healthcare IT budgets. According to HIMSS, 49 percent of healthcare organizations dedicate less than three percent of their IT spend to security.

Despite HIPAA regulations and other mandates requiring organizations to achieve minimum security standards, compliance was often overlooked. It has only been in the last few years that healthcare organizations started to take notice as HIPAA tightened controls in reaction to the data breach epidemic — conducting more frequent audits and imposing stricter penalties and fines for non-compliant organizations.

Unfortunately, it takes a few major data breaches to open the eyes of an industry and bring information security to the forefront of strategic discussions. There is no doubt the healthcare industry has a lot of catching up to do. Many organizations are just now moving past the starting line to build out their security infrastructure in foundational areas such as vulnerability risk management, security monitoring, and identity and access management.

Let’s take a look at one of these areas a little further: vulnerability risk management. As of late, so much attention has been paid to anti-malware technology and incident response capabilities. As a result, we have lost sight of the root cause of most data breaches — an exploited vulnerability. In examining many security incidents classified as “advanced” attacks, including some of the most recent high-impact healthcare breaches, it is often nothing more than repackaged malware exploiting the same known vulnerability over and over again.

HIPAA Guidelines for Risk Analysis require healthcare organizations to determine “the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability.” But not all vulnerabilities are created equal. While the Common Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin the process of prioritizing threats, it is by no means the best measurement of risk on its own. Additional context such as known exploits, active attacks, available patches, and the criticality of an asset also need to be considered in quantifying the potential impact of a threat.

And the industry is not lacking in vulnerabilities. A study conducted by NopSec revealed healthcare organizations have an average of three vulnerabilities per asset. Now multiply that by the number of servers, applications, and endpoints across the entire IT infrastructure, and the number of potential weaknesses is staggering. But perhaps not all relevant, either. The same study found that, on average, it is taking the industry 97 days to remediate a security vulnerability. This is not encouraging when an attacker can build an exploit in just a few hours and often roam the network for as many as 200 days before being detected.

The bad news for healthcare is the late adoption of digital technologies and lack of appropriate security controls have earned it the title of “Most Targeted.” The good news, however, is innovation in the security industry continues, giving healthcare organizations access to technologies that weren’t available 10 years ago. Now, if only security budget spend can catch up with need.