White Paper

Strengthening Data Security From End To End

Data Security

“Ninety-one percent of healthcare organizations reported at least one data breach in the past two years, and more than 60% of hospitals have no breach response plan in place.”

—The Ponemon Institute

2015 ushered in an explosion of many high-profile security breaches, leaving millions of health records exposed and costing exorbitant amounts in time, money and reputation. One in three Americans, in fact, experienced breaches of their healthcare records last year, with large-scale hacks representing 98 percent of data compromises. Most notably, last year’s cyberattack on Anthem exposed nearly 79 million records, and one at Premera Blue Cross affected 11 million individuals. Both were the result of phishing attacks. The publicity around these events has propelled healthcare to the forefront of IT security discussions, especially as it relates to the protection of personal patient data and what can be done to better protect it.

As cyberattacks continue to target the healthcare industry, touching everyone from physicians’ offices to insurers, both the U.S. government and the private sector have started to increase pressure on healthcare organizations to bolster their information security programs. For example, the Department of Health and Human Services has recently updated its HITECH rules, (Health Information Technology for Economic and Clinical Health Act), which require healthcare organizations seeking federal subsidies for implementing electronic health record (EHR) systems to prove that they are addressing the risks inherent to those systems with stronger data protection measures.

The Healthcare Record: A High-Value Target.

Among all of America’s critical infrastructures, the healthcare sector is the most targeted and plagued by perpetual persistent attacks from numerous unknown malicious hackers, who are intent on exploiting vulnerabilities in their insecure and antiquated networks to exfiltrate patient health records. According to one digital security company’s report, of the 16 critical infrastructure sectors, the healthcare industry suffered from the most data breaches, an estimated 21% (188 out of 888 reported events).

Doug Copley, Senior Security and Privacy Strategist at Forcepoint, believes part of the problem lies with healthcare regulatory oversight.  An information security and privacy leader with nearly 25 years of experience in IT, information security, and data privacy across the healthcare, banking, manufacturing, and professional services industries, Copley contrasts his previous experience in the financial services and healthcare industries. He says that although companies are ultimately accountable for complying with HIPAA privacy and security requirements, the healthcare regulatory authorities haven’t provided the same degree of oversight as financial industry regulators, so the information security programs at most healthcare entities have not been validated for effectiveness or compliance.

“When I was in financial services, we had individuals from the Federal Reserve in our office building three out of four weeks every month, so the oversight was constant,” says Copley. “In contrast, I was the Chief Information Security Officer (CISO) in an eight-hospital health system for three-and-a-half years, and healthcare regulators never once contacted me about our information security program.”

It’s a startling contrast, particularly when one considers that Ponemon’s 2015 Cost of a Data Breach Study reported the average cost per record to remediate a data breach across all industries in the U.S. as $217, while those in the healthcare industry average nearly $400 per record. Why the big cost gap? Medical records have a higher value because data can be used for long periods of time (people can’t change their social security number or medical history), because the data can be used by criminals to fraudulently bill insurance companies for the duration of the person’s life, and because criminals know healthcare has less robust security practices, so it will take them longer to discover a threat or breach.

The Urgent Need to Protect and Defend.

The majority of Web traffic today is encrypted, but cyber security experts like Copley advise inspecting that traffic.

On March 15, ABC News reported that 77% of Google’s online traffic is encrypted.

“Many companies have not deployed highly capable security technology, like Forcepoint, to examine this encrypted traffic, so they have no way to know what data is being sent and whether these data transfers are authorized,” Copley explains. “The risk of data theft is only growing as government policies are driving increasing volumes of healthcare data to be routed across the Internet every day – to health information exchanges, public health entities, healthcare consortiums, and others. To effectively manage this risk, organizations need to keep pace with cyber security innovations to identify the riskiest insiders and data transfers and prevent sensitive data from getting into the hands of criminals.”

Healthcare organizations today need an accurate picture of the security risk profile for the assets, applications, and services they manage, as well as the proper hardware to support their needs. One of the best defenses is to minimize the opportunity for hackers to compromise data.

“There are many things healthcare organizations should be doing,” says Copley. “When I sit down with healthcare CISOs, I counsel them to have strong, comprehensive security mechanisms which include robust controls at entry and exit points to the network, as well as strong insider controls to protect data coming and going off endpoint devices such as PCs, tablets, and mobile phones.  Data can leave these devices via memory cards, printers, Web email and programs like OneDrive and Dropbox.”

Copley recommends implementing an email filtering product that will weed out spam and phishing, both inbound and outbound, coupled with URL or Web filtering. He also suggests URL and email attachment sandboxing to remove malicious content before it is forwarded to a user’s inbox. If the scan turns up a questionable URL, the solution will replace it with a different one to provide an additional layer of protection.

“The criminals can try to hack your system, but they have realized it’s a whole lot easier to trick someone into clicking on a link because when they do that, the criminal can obtain legitimate user credentials on the network,” cautions Copley. “From a security team perspective, this makes that criminal much more difficult to detect because they are coming in remotely with valid user credentials.”

That’s why Copley also recommends additional security methods to protect a healthcare organization’s vital data:

  • Email data loss protection (DLP):
    • Focus on email leaving the network
  • Web/endpoint DLP:
    • Monitor anyone trying to save files to removable media or upload to Web mail, OneDrive, DropBox or Google Drive
  • DLP data discovery:
    • Search file servers and SharePoint sites for specific data
  • DLP with OCR capability:
    • Catch images with text in them using optical character recognition (OCR), such as a radiology image with a patient’s name on it, or a screen capture someone took of the medical record system
  • Insider threat detection:
    • Monitor user activity to determine when a user is behaving in a way that is out of the ordinary, which may be an indicator of risk

“Some people complain their employers are just trying to prevent them from surfing Facebook during the day, but that’s not the primary reason for filtering Web activity,” explains Copley. “If malware infects an employee’s PC, we want to block its communications before it has a chance to talk to its command host and cause a substantially larger impact to the organization.”

Internal Threats Abound.

Current cyber security research shows that threats from insiders are one of the fastest-growing areas of risk for organizations of all types. So what can you do?

  • Flag risky behaviors from your end users that could precede a data breach
  • Record the exact actions taken by your employees for security analysis
  • Place your riskiest users into a high-watch group for greater scrutiny

Internal phishing exercises – where an organization phishes its own staff to see if behavior is matching expectations – can also add a layer of protection, as can a relatively new concept, behavioral analytics, which gives organizations the ability to detect changes in user behavior as a potential risk indicator.

“The key is to equip healthcare organizations with the capabilities to dig deeper, for example, to determine why someone who normally doesn’t access financial data is in the financial system today,” says Copley. “To be able to see that someone who typically works 8 to 5 is now logging in at 10 p.m., 12 a.m., 2 a.m., and for hours on end? This visibility allows companies to create triggers based on behavior and reduce their risk.”

Education is Key.

In KPMG’s 2015 Health Care and Cyber Security survey, 81% of the participating 223 healthcare CIOs, CTOs, CSOs, and chief compliance officers revealed that systems at their organizations were compromised by one or more cyberattacks within the last year. The remaining 19% consists of organizations whose systems remained secure, organizations that did not willingly admit to KPMG that malicious actors had breached their system, and respondents who did not know whether their system had been compromised. In all three cases, the possibility of an undiscovered or unreported breach is likely because only 75% of the respondents felt that their organization had the capability to detect a compromise. Only 53% of the healthcare providers assessed themselves capable of defending themselves from a cyberattack after detection, which is why education on protection measures is so critical, but traditional awareness methods are not sufficient.

“We really need to change our education tactics to focus on repetition and user engagement, rather than the once-a-year death-by-PowerPoint that so many healthcare organizations currently use for training on security protections,” offers Copley. “I can sit my employees down once a year and take them through a 35-page PowerPoint as required under HIPAA, and I can check that box saying I’m complying with security training requirements, but that does very little to reduce risk to my organization. Who’s going to remember what they learned on a slide four months ago?”

A comprehensive approach to security requires education, solutions, and services that ensure the safety and security of your data, infrastructure, and user experience throughout the complete threat lifecycle. It’s no longer a matter of if a breach will occur, but when. You must create your security program to expect that breaches will happen, and when they do, you must be prepared to react quickly and decisively to contain the breach down and remediate it as quickly as possible. Keep a “security event” from becoming a “security epidemic.”

The PC Connection, Inc. family of companies has been trusted for more than 34 years to connect people with technology that enhances growth, elevates productivity, and empowers innovation. As a National Solutions Provider, our teams at PC Connection, GovConnection, and MoreDirect include experts who specialize in customized services and solutions for the healthcare market. Learn more at: http://www.pcconnection.com/health