Data breaches at healthcare organizations are some of the most critical security incidents. They put very damaging information at the disposal of cybercriminals and malicious actors. A slate of regulations in different jurisdictions classify health data as highly sensitive and penalize organizations that mishandle the information or fail to protect it against hackers. An example is the Health Insurance Portability and Accountability Act (HIPAA), which defines standards for handling health data and sets penalties that can cost millions of dollars for organizations that fail to comply with its rules.
However, health-related data breaches continue to happen very frequently and at scales that are very concerning. In 2015, data breaches Anthem, Premera and Excellus, three of the largest health insurers in the U.S., collectively accounted for the loss of medical information belonging to more than 100 million customers.
In the U.S. alone, the health data of more than 6 million people have been breached in the first eight months of 2018. This is according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, famously known as the “wall of shame,” which has recorded more than 200 health-related data breaches since the beginning of the year.
The question is, how can organizations protect their customers and reputation when handling sensitive medical information?
Health data is hard to secure
The reality is that securing health information is very difficult because the landscape is highly fragmented. Medical processes usually involve a lot of different people and organizations, making it hard to track and control the access and use of patient and customer data. And the more users you add to the process, the easier it becomes for an attack to slip through the cracks.
Verizon’s recent 2018 Protected Health Information Data Breach Report puts that into perspective. According to Verizon, 58 percent of data breaches that involved health data were instigated by insiders. “Healthcare is the only industry in which internal actors are the biggest threat to an organization,” the report states. People who have access to health information might compromise them for personal gains and curiosity, but in many cases, security incidents are the result of bad security practices and honest mishandling of information.
Malicious actors often put ample resources and energy into breaching health data sources. The Anthem data breach, which accounted for the data of 78 million people, was allegedly perpetrated by resourceful state-backed actors. The targets of data breaches are often people who don’t know enough about best security practices or would rather sacrifice security for convenience.
In many cases, a well-planned phishing attack tricks a health worker to give away sensitive credentials to malicious actors, who then use it to access and exfiltrate health data from the databases of the organization the victim works for.
The Verizon report makes another notable observation:
“70 percent of incidents involving malicious code within the healthcare sector were ransomware infections.”
Ransomware is a breed of malware encrypts files on a computer’s hard drive and prevents victims from accessing them until they pay a ransom to the attacker. Hospitals and health organizations are especially attractive targets for ransomware attackers because they’re more inclined to pay up quickly since without their data they effectively become paralyzed.
SamSam, an especially dangerous blend of ransomware, uses vulnerabilities in software and weak passwords to gain access to networks and hard drives in hospitals.
How can health organizations secure their sensitive data?
Making sure the health data you handle is secured and you don’t run afoul of regulations is complicated, but there are several measures that can considerably improve your defenses against data breaches and security incidents.
Reduce human errors with passwordless authentication
One of the main causes of data breaches is poor password selection and phishing attacks against employees. Hackers and malware use compromised credentials to access sensitive files and data records in the servers of health organizations.
Forcing employees to adhere by strong password principles will put too much strain on the employees and eventually result in some of them refusing to comply with rules for the sake of convenience.
Passwordless authentication technologies will reduce the attack surface of organizations by removing shared secrets that can give anyone access to their sensitive digital assets. For the employees, passwordless authentication will provide improved security without introducing frictions and bad user experience.
Deploy smart access controls to sensitive data
While passwordless authentication will protect your assets against outside hackers and careless mistakes by your own employees, it still won’t prevent malicious insiders from causing damage by stealing information.
The deployment of smart access control tools will make sure you can detect potentially malicious behavior before it deals damage to your organization and your clients. One example is behavioral analytics, which uses machine learning and statistical tools to analyze the normal behaviors of all users and set a baseline for their acceptable behavior.
As soon as an employee engages in activity that is unusual for their profile, say tries to download an unusual volume of data or access assets that are unrelated to their work, the system can flag the operation and require further authorization or authentication steps. IT teams can then investigate and verify whether the activity is malicious or legitimate.
Use strong encryption
Many organizations never consider that their systems might eventually get breached and don’t prepare their infrastructure for eventual data breaches. Storing sensitive data unencrypted means that as soon as a malicious actor gains access to targeted servers, they’ll be able to do away with whatever amount of data that they wish.
By employing strong encryption, organizations can make sure that even if hackers breach their servers, they won’t be able to make use of sensitive data. Another important step is to make sure they don’t store the decryption keys in the same place as the data. Putting all eggs in the same basket is a recipe for disaster.
Use decentralized approaches
Organizations must also have a proper disaster recovery protocol, especially for their sensitive data. If a ransomware attack hits their systems and makes their critical health data unavailable, they should be able to quickly recover and resume their operation.
This means that, based on the time-criticality of their operations and information, organizations must have online and offline backups of their data, as well as ready-to-deploy hardware and a virtual instance of servers to be able to quickly bring their systems back online after being hit by an attack or a natural disaster.
Again, decentralization is key here. Health organizations must make sure they don’t store their backup in the same physical and virtual locations to prevent any sort of damage from making their entire system unavailable and unreturnable.
Some companies and organizations are exploring the use of blockchain in healthcare as a means to remove single points of failure and prevent data tampering and hacking incidents. Blockchain is the distributed ledger technology that supports cryptocurrencies such as bitcoin and obviates the need for centralized servers and intermediaries in the storage and exchange of information. The technology is still nascent, and we have yet to see its use become mainstream in the healthcare industry but there is a strong movement in universities and emerging startups of the creation and deployment of such solution.