By Torsten George, cybersecurity evangelist, Centrify
For some time, healthcare records and related data have included a wealth of information about a person – and that data, if not properly secured, can be sold on the Dark Web to enrich malicious adversaries. In fact, patient health information often fetches as much as $1,000 per record. When compared to other, more common personally identifiable information, like credit card data, which sells for between $12 - $20 per record, or email addresses, which often get sold in blocks of 1,000 for less than $100, you begin to understand why the healthcare industry increasingly finds itself a preferred target for cybercriminals: over the past decade, healthcare saw more than 2,100 data breaches.
What can the healthcare industry or individual organizations do to secure and protect patient data?
It’s a complicated challenge to solve, but we first need to understand the history of our healthcare system. While much of the innovative technology in healthcare is found in tools used for the care itself, some things like ventilators, heart pumps, diabetes monitors, etc. are still being driven by legacy technology and outdated systems that, unfortunately, are left vulnerable to malicious attacks and hackers.
However, when it comes to the rising number of cyberattacks, we are finding that the greatest risks are to organizations that have made the transition from paper-based records to digital technology. Ten years ago, most patients still needed to ask a doctor for a referral. Now, a person’s insurance coverage details, healthcare stats, alert notifications, payment information, and prescription history have all been digitized. Even health assessments, telehealth appointments, and some diagnostic testing are also increasingly being completed within the digital sphere.
So, while it is easier to have this medical history digitized and at our fingertips, the tradeoff has been a significant increase to the attack surface. Before, a criminal had to physically break into a healthcare facility and access patient records. Now, with so much digital information, criminals can attack in a variety of new ways.
A Global Pandemic Leads To A Global Threat
During the COVID-19 pandemic, there has been a significant uptick in data breaches, according to an April alert from the FBI, which also noted that cybercrime is quadrupling. It is likely to worsen as the pandemic remains a crisis.
In healthcare, recent examples include Babylon Health, which suffered a breach of patient data on its telehealth app; and Benefit Recovery Specialists, where malicious actors used credential stuffing to hack 274,000 patient records. The threats are also not just aimed at patient data. They are tinged with nation-state tensions and espionage. For example, two Chinese nationals were charged by the United States with trying to get access to research on a COVID-19 vaccine.
It is also a common misconception that such breaches are caused mainly by external hackers. In reality, people inside the organization are as great a threat as any external adversary. September was National Insider Threat Awareness Month, a relatively new effort to specifically draw more attention to this increasing threat to organizations before they move into the broader National Cybersecurity Awareness Month in October. Indeed, Centrify’s research in September revealed that more than half (51 percent) of U.K. businesses say remote working has led to an increase in insider threats.
To Be More Secure, Fix The Systemic Problems
All of this activity has brought to light systemic issues in the healthcare industry. Generally speaking, the healthcare industry struggles to attract top IT security talent. This creates a considerable disadvantage, especially with such a broad attack surface. For healthcare IT professionals, they may be struggling to do their jobs without proper funding for the technologies that can better protect the entire organization.
In an uncertain economic environment, if a person is underpaid but has access to information that has a high price tag on the Dark Web, they could be tempted to help a hacker or potentially steal the information themselves and attempt to sell it. Healthcare professionals are overwhelmed, understaffed, and underpaid – now, more than ever.
Protecting Medical Records Without Compromising Care
Thankfully, there are very stringent privacy and compliance requirements set out by the Health Insurance Portability and Accountability Act (HIPAA) and other healthcare industry regulations. However, securing the information while adhering to these privacy guidelines can create an overwhelming challenge for healthcare organizations. Violations can cost a healthcare provider thousands to millions of dollars per incident.
What are some of the ways to ensure compliance? One example is with smart cards containing a proximity radar and loaded with PKI credentials, used by a doctor or nurse as they enter a triage room to evaluate a patient. They walk up to a computer and access the correct information their privileges allow them to view, but the moment they turn around and interact with the patient, the computer locks again. Conversely, a receptionist will have no access to patient data. Instead, he or she will only see insurance information to collect co-payments, the patient’s home address, birth date, and the date of the most recent visit, without knowing what was discussed, since that detail is reserved for the doctors and nurses. Segregation of information provides more security.
Privileged access also can minimize exposure to cyber- and ransomware attacks in healthcare systems. If a hospital suffers from a ransomware attack and they are locked out of specific medical information, a patient could die. By establishing different layers of security, not using common credentials, and having the IT team run diagnostics, they can dramatically reduce this threat. Healthcare providers also can use smartphones as multi-factor authenticators to help stop phishing attacks.
Overall, healthcare organizations need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach. In summary, these healthcare entities should:
- Enforce segregation of duties: Separate duties, especially for sensitive or shared processes and tasks. In this context, organizations can leverage so-called “access zones” to tie the rights a user has to specific resources.
- Establish least privilege: Only give privileged users just enough access to resources, just-in-time to do the job required. Leave zero standing privileges to be exploited.
- Implement access request and approval workflows: Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.
- Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors: This will help identify abnormal and high-risk activity, as well as can trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external threats.
One thing is clear -- healthcare organizations cannot risk granting too much privilege to staff or contractors, where traditional perimeter security can’t protect them from an insider accessing critical data. By granting only the least amount of privilege necessary to do a job, they can minimize the risk of an attack that either started or was enabled from the inside.