Four cybersecurity mistakes health plans make

It’s no secret that healthcare organizations are the most vulnerable and valuable when it comes to hackers. In the last five years, healthcare organization have seen a 125% increase in healthcare data breaches, according to a study released by the Ponemon Institute in May 2015.  The study also revealed that 91% of healthcare organizations and 59% of business associates that work with healthcare organizations have experienced a data breach in the past two years. In total, more than 7 million patient records were impacted by data breaches in 2013, according to Caradigm, which estimates that data breaches cost the healthcare system more than $5 billion a year.

SockriderThough many healthcare organizations are following and complying with HIPAA guidelines, attacks are becoming more nuanced and harder to detect. “The first layer is always defensive in nature, protect what you have, control access, track usage, and encrypt where appropriate," says Gary Sockrider, principal security technologist at Arbor Networks. "Visibility comes next because you can’t defend against a threat you can’t see. It is critical to know what is happening and where your vulnerabilities exist. Visibility naturally leads to detection and incident response. But ideally an organization will need to evolve beyond reacting to the known and on to proactive hunting for the unknown."

To help ensure you are doing all you can to prevent a security breach, we asked the experts to weigh in. Here they identify four of the biggest mistakes health plans are making.

Next: #1 Outdated device policies

1. Outdated device policies

WillinghamMobile device security accounted for 40% of worries reported by healthcare organizations in 2014, according to Caradigm. With more organizations allowing employees to connect their own devices to the company Wi-Fi, and with more allowing access to hospital applications, that concern is warranted. To ensure information is secure, it is imperative to make clear distinctions on how personal mobile devices can be used through a bring your own device (BYOD) policy.

“An effective BYOD security policy needs to start with some homework," says Mike Willingham, vice president of quality assurance and regulatory affairs at Caradigm. "First, the organization needs to take stock of the current environment. How are mobile devices being currently used?" Willingham suggests that health plans create a BYOD policy that covers these six areas:

• Types of devices included in the BYOD policy (laptops, tablets, mobile phones, company owned, employee owned, non-employee owned);

• Rules regarding what is allowed based on operating systems;

• Rules regarding what devices, data types or applications are restricted;

• Rules regarding monitoring of devices (for example, rules requiring apps to be run on each device to allow remote verification of proper configuration, audit logging, and remote wipe capability);

• Basic controls required for each device (device profile/image, system configuration, malware prevention, endpoint protection); and

• Enhanced controls required for certain devices (for example, whole disk encryption and multi-factor authentication).

“You must establish the reality of the current situation before setting a new BYOD policy,” Willingham says. “Many organizations have waited years before tackling this issue and there may be substantial remediation required in order to control it effectively moving forward.”

Next: #2 Overreliance on the cloud

2. Overreliance on the cloud 

Don't assume that the information stored "on the cloud" is safe, says Mounil Patel, vice president of strategic field engagement for Mimecast. Patel says that because of the large amount of customers many cloud-based vendors have, hackers can steal a lot more data in less time.

 “Moving to the cloud doesn't absolve IT of risk management practices. The risk can actually increase in new areas,” Patel says. “By picking one lock, hackers have the ability to open many doors. Therefore, as vendor cloud infrastructure grows to handle more customers, the risk increases.”

GuccioneThe average healthcare organization uses 928 cloud services, and only 7% of those meet enterprise security and compliance requirements, according to Skyhigh Networks. This means that most of the applications used in healthcare could be providing a risk.

Darren Guccione, CEO of Keeper Security, Inc., says health plans should audit their cloud-based vendors and their security protocols the same way they audit hardware applications. “With the average organization using almost a thousand of them, this might take some time. But the demand for cloud services grew so quickly over a very short period that providers had to sacrifice security to come online,” Guccione says. “Until more stringent security regulations govern cloud services, organizations will have to take the security of their data into their own hands.”

Next: #3 Exposing population health data

3. Exposing population health data

Comprehensive healthcare records can include clinical data, but also financial data that extend through a patient’s family. This is a goldmine to hackers, who are paying $20 or more per health record for this data on the black market, compared to $2 per credit card record, according to WEDI. With increased need to collect, store, and share this information with multiple stakeholders, and an increase in healthcare acquisitions and mergers, large amounts of data are in flux.

“2015 has been a huge turning point for the healthcare information security community, with external hackers infiltrating large companies with substantial data sets," says Willingham. "All of the infiltrations were active for months before being detected.  Organizations need to step up their attention and plans in protecting their data, which requires both skilled personnel and technology investments."

Any time a plan aggregates large data sets, it likely establishes a large "surface area of attack" from a security threat perspective, he adds.  "This requires a robust security strategy to assess the threats and establish controls and monitoring to manage the data, both in transit and at rest.”

Next: #4 Ignoring inside risks

4. Ignoring inside risks

When many people think about cybersecurity attacks, they may not think that their most trusted employees could be the biggest threat. However, according to a report by Spector Soft, the most risky users in an organization include managers with access to sensitive information, and contractors and consultants, who are often temporary workers.

Sockrider says that educating employees on security risks and vulnerabilities can empower them to take patient information and other sensitive data more seriously. However, he adds that employees are often unwittingly or purposely aiding in breaches. “Social engineering attacks have long been effective at getting employees to unwittingly provide information that can be used by cyber criminals,” Sockrider says. “Malicious insiders can infiltrate an organization either by masquerading as an employee or becoming one. While there are many tools and techniques to safeguard an organization, we must assume that a breach will eventually happen and therefore be prepared to deal with the inevitable.”

The Spector Soft report says that inadvertent data breaches account for 57% of insider threats, while malicious data breaches account for 53% of insider threats. With an increase in data, mobile devices in the office, and more collaboration between clinical, administrative and financial teams, this is a threat area that is increasing harder to control.

“Most healthcare workers aren’t sitting at a desk all day with a dedicated computer. They are mobile and using multiple computing and storage devices throughout their typical work flow,” says Willingham. “And, these challenges assume that everyone is acting in good faith, which brings up the unique factor in security risk. We have to account for people with malicious intent, especially now that patient data has true value on the black market.  When you combine all the workforce related risks together, it presents a substantial management challenge.”

Donna Marbury is a writer in Columbus, Ohio.