Upload
thinkasg
View
289
Download
2
Embed Size (px)
Citation preview
CYBERSECURITY IN HEALTHCARE
Recent advancements in tech have had a tremendously
positive impact on the healthcare industry.
Thanks to improved services like electronic health
records, information can be shared faster and more
efficiently. This makes it easier for healthcare facilities
to store patient records long term and cut operating
costs. It also helps patients by providing personalized
care when they need it the most.
INTRODUCTION
Page 2
FOR HEALTHCARE PROFESSIONALS AND THE PATIENTS THEY SERVE, THE CURRENT TECHNOLOGY BOOM IS OVERWHELMINGLY BENEFICIAL.
Page 3
Technology has even streamlined basic applications in
a healthcare environment in a number of ways.
Healthcare facilities can automate certain basic tasks
like sending checkup reminders and enabling patients
to schedule appointments online without ever picking
up the phone.
This relieves professionals of the burden of these
important yet admittedly basic tasks and frees them up
to return doing the most important thing of all:
PROVIDING THE BEST POSSIBLE CARE TO THOSE IN NEED.
These are just a few of the countless examples of how
tech solutions positively impact the lives of millions of
people on a daily basis in the world of healthcare.
As with all tech advancements, however, there is
another side to the coin. These solutions enable us to
access our networks virtually anywhere on any device,
meaning that threats have a myriad of opportunities to
breach your security wall. Attacks are so prevalent that
today it is increasingly common to hear reports about
yet another massive data breach that has struck a
recognizable company.
Perhaps the most famous recent example is the
Sony Pictures International hack in 2014. Between
lost revenue from films that leaked onto the internet
to the unquestionable damage that was done to the
reputations of writers, directors, actors, and studio
executives after confidential e-mails were leaked to the
public, the data breach is projected to cost Sony over
$100 million dollars.
Page 4
Entertainment companies aren’t alone when facing
these issues. Anthem recently experienced a significant
hack that put the personal information of more than 80
million people at risk.
That total included current customers, former customers
and employees. Sony’s woes from “The Interview”
losing a weekend box office were terrible, but had little
to no impact on the safety of the public.
Anthem’s security breach dangerously placed the
personal healthcare information of 80 million people
into the hands of criminals.
Page 5
EXPERTS PREDICT THAT THE FALL OUT FROM THE ANTHEM BREACH COULD TOTAL MORE THAN $100 MILLION DOLLARS IN TERMS OF
FINES, PENALTIES AND CLASS ACTION LAWSUITS ALONE - TO SAY NOTHING OF THE DAMAGE THAT WAS DONE TO
ITS REPUTATION.
While Anthem may be able to weather the storm because
of its size - smaller healthcare companies may not be
so lucky. To put it simply, healthcare professionals must
take steps to be digitally secure and compliant or risk
becoming another statistic.
In order to digitally protect a healthcare facility and
the patients that depend on it, you need to take full
advantage of the best tools available.
Page 6
By far, the most powerful weapon that healthcare
professionals have in their arsenal is an evolving
defensive strategy.
Cyber security in a healthcare environment means not
only turning your attention towards what you can do
to fight threats of today, but also learning more about
ongoing protection from threats in the future.
Take a look at the state of cyber security in healthcare
based on a list of current trends. In April of 2014, the
FBI issued a warning to the healthcare industry about
the threat that hackers could pose to their operations.
The report from the FBI, which was later obtained and
published in its entirety by Reuters, said that “The
healthcare industry is not as resilient to cyber intrusions
compared to the financial and retail sectors, therefore
the possibility of increased cyber intrusions is more
likely.”
CURRENT TRENDS
Page 7
The report indicated a startling trend - cybersecurity
systems in healthcare routinely lagged behind those in
other industries, including entertainment. Consider that
the cyber security at Sony Pictures International was
significantly stronger than the systems used in most
healthcare facilities. Despite taking precautions, Sony
Pictures was still victim to the largest data breach of a
private entity in the history of the Internet.
Page 8
Even with the call to action in the FBI report, many
healthcare executives haven’t reacted. In a survey
conducted by Becker’s Health IT & CIo Review, nearly
75% of those who responded indicated that they did
not believe that the chief information security officer
(CISo) in a healthcare facility should be part of the
leadership team of that organization. As many as 55%
of those who responded, however, indicated that the
CISo should assume responsibility for data breaches.
For the CISo, this is something of a catch-22. They aren’t
given enough influence within the organization, yet they
bare the full brunt of responsibility should something go
wrong. This type of contradictory line of thinking perhaps
underscores the current issues in the healthcare industry
with regards to cyber security better than anything else.
These technological decisions that protect confidential
healthcare data need to be presented by the CISo at an
executive level. Unfortunately, more often than not, that
isn’t happening in most organizations.
A large part of understanding the severity of a threat
involves understanding exactly why it exists in the first
place.
Data breaches don’t just happen “because they can”
- they happen because personal data is a valuable
commodity to hackers. Unfortunately, there are
underground marketplaces online where the personal
data of individuals goes for top dollar, incentivizing
hackers to breach systems in hopes of making a
handsome profit.
EXAMINING THE THREAT
Page 9
According to Becker’s Health IT & CIo Review, the type
of information that a hacker can obtain by attacking a
healthcare facility isn’t just more valuable than credit
card numbers and other types of financial information -
it is literally up to 10 times more valuable.
When a hacker steals a credit card number, it generally
has a very limited lifespan - and therefore is a limited
income stream for that individual. They may be able to
quickly charge a few hundred or even a few thousand
dollars worth of purchases to the card, but the issue is
likely to be discovered very quickly and the card number
will become invalid as a result.
THANKS LARGELY TO THE FACT THAT HOSPITALS AND OTHER HEALTHCARE
FACILITIES HAVE LOW CYBER SECURITY STANDARDS IN GENERAL, THEY BECOME
PRIME TARGETS FOR HACKERS.
Page 10
Page 11
PhishLabs, a cyber crime protection company, estimates
that stolen healthcare information, credentials and other
types of documents can be sold for as high as around
$10 per individual on the black market. This is between
10 to 20 times more than a credit card number.
One of the reasons for this trend is due to the fact that
medical identity theft is much harder to track. While a
stolen credit card can be deactivated quickly, a data
breach from a healthcare facility has a more long term
payoff. Hackers can use that information over time to
generate a series of fake IDs that can then be used to
buy drugs, medical equipment and other goods that
can then be resold at a premium.
Not only is it easier for hackers to do damage in this
type of environment, but the extent of the damage is
also significantly higher than it is anywhere else. This
creates a perfect storm for patients and healthcare
facilities.
Though the cyber security discussion in healthcare may
seem grim, there is a sliver lining. There are several
recognized tools that can protect your organization’s
sensitive healthcare information.
Currently, the number of healthcare practitioners who
use these tools is far too small. In order to protect
their employees, patients and reputations, healthcare
facilities need to invest in security intelligence solutions.
YOUR OPTIONS
Page 12
SECURITY INTELLIGENCE
Page 13
The major security issue for most healthcare
organizations is that they only focus on building
a reactive defense. This is the wrong approach entirely.
Instead of allowing themselves to fall victims to a
security breach and then asking “What can we do
now to make sure that doesn’t happen again?”, the
organization should instead be asking “What can we do
now to prevent a potential attack?”
DATA SECURITY
Page 14
Professionals need visibility of the entire lifecycle of a
file. This includes: who created it, where it was stored
and where it ended up, and also who sent it, who
requested it and accessed it, when it was opened,
whether or not it is currently being downloaded, and
more.
It’s important to understand that personal health
information isn’t just vulnerable while it is sitting on a
hard drive in a doctor’s office. A patient’s medical records
are at the greatest risk when they are transferred from
one physician’s office to another for a second opinion.
FOR MAXIMUM DATA SECURITY IN THIS TYPE OF SITUATION, ALL FILE SHARING ACTIVITIES NEED TO BE VALIDATED.
Encryption techniques for data security are also a must
in today’s modern climate. Even though HIPAA does not
require data encryption, it is no longer a recommendation
- it is a requirement to protect sensitive data moving
forward. Encryption needs to be present both while PHI
documents are at rest on a facility’s hard drive and while
they’re in transfer. Not only should it be at least 128 bits
in nature, but it also needs to utilize a unique encryption
key for each file that is stored on a secondary location.
This will all go a long way towards making sure that
even if a healthcare facility’s network is compromised,
the sensitive data contained on it will be safe.
Page 15
The largest insurance companies, the smallest private
practitioners and everyone in between needs someone
dedicated to the ever changing cyber security rules and
regulations on both the federal and state levels.
ABOVE ALL ELSE, HEALTHCARE ORGANIZATIONS NEED TO DEVELOP A SECURITY-DRIVEN CULTURE THAT BEGINS IN LEADERSHIP POSITIONS.
For instance, if a hospital employee working remotely
needs to access the server, they should be subject
to certain policies, protocols, security settings and
advanced configurations that will help prevent them
from becoming a vulnerability.
Another essential standard to enforce is the ability to
log not only devices for security audit purposes but
individual actions.
ENDPOINT SECURITY
Page 16
You should additionally be able to gauge when a user
first accessed the system, session length and what they
did during that time.
AT ANY GIVEN TIME YOU SHOULD BE ABLE TO SEE WHO IS ACCESSING SPECIFIC FILES FROM SPECIFIC DEVICES.
A common theme in cyber security is not asking
“what did happen?”, but “what might happen?” Just
as predictive analytics help turn an eye towards a
disastrous potential future, those in decision making
positions within healthcare organizations need to do
the same.
AN EYE TOWARDS THE FUTURE
Page 17
IT IS IMPORTANT THAT YOU TAKE STEPS TO MAKE SURE THAT YOUR ORGANIZATION IS PROTECTED AGAINST THE THREATS OF TODAY AND THE THREATS OF TOMORROW.
The major mistake that healthcare facilities make
involves assuming that they’re current security measures
are sufficient. That oversimplification accomplishes
nothing on the best of days and only sets up a disaster
on the worst.
The dirty little secret of cyber security is that you can
never do enough to keep important medical information
out of the hands of those who may wish to do you harm.
Only by both understanding the threat and by taking
proactive steps towards enterprise security can you
enjoy the benefits that technology has to offer with as
few of the downsides as possible.
Page 18
EVERY YEAR THERE IS A LIST OF THE TOP DATA AND SECURITY BREACHES IN THE HEALTHCARE INDUSTRY. MAKE SURE THAT YOU’RE TAKING THE RIGHT STEPS TO KEEP OFF THE LIST.
yourCloud: Together we take a workload by workload
view to determine the best target infrastructure to
deploy your business applications - on or off-premise.
yourData: What can we learn from your business data to
help us craft intelligent solutions for protection, security,
compliance and resiliency of your most important asset
next to your people.
ABOUT US
Page 19
yourSecurity: As a team, we work together to establish
a holistic and mature security posture that will help
detect, prioritize, address and help prevent security
breaches.
yourSupport: We ask, “Is everything essential to running
my business fully protected?” Define and address
gaps in coverage whether it be people, resources or
knowledge.
Our goal is to provide strategic outcomes that align
technology with the goals and objectives of your
business.
For more info click or call 800.991.9274 -
THINKASG.COM
YOUR TRUSTED IT CONSULTING AND SOLUTION PROVIDER, ALIGNED WITH
YOUR BUSINESSthinkASG enables technology and business alignment through timely expertise, services and
solutions crafted to meet long-term vision, goals and objectives of the business.