Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/30/2020
10:00 AM
David MacLeod
David MacLeod
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways to Flatten the Health Data Hacking Curve

With more people working from home, health data security is more challenging but vitally important. These tips can help safeguard healthcare data.

Healthcare data is being hacked at alarming rates, and we might know why. According to a study by Trustwave, banking and credit data is worth $5.40 per record on the Dark Web, while healthcare records are worth over $250 each. This is because healthcare records typically contain virtually all the private and protected information that exists for that person, including banking and credit card data.

The rate that health systems are being targeted in phishing and social engineering scams continues to increase. Comparing data from Verizon's 2016 and 2019 data breach reports, there has been a threefold increase in both the number of data incidents and the number of actual data breaches arising from those incidents. Further, those numbers are still growing in 2020. (The 2020 version shows a shocking 71% increase in breaches of healthcare information. It also shows 43% of phishing attacks, and malware that steals passwords, originated from the cloud. This is a twofold increase since 2019.)

The 2020 Verizon report also found 70% of all computer hacks were completed by external actors, and 55% were completed by organized crime groups. Is your organization as prepared to protect data as hackers are in their intent to compromise it? The same report goes on to note that 86% of the identified breaches were financially motivated, with nearly 90% of all breaches being carried out by either brute-force attack against "breakable" passwords or with stolen credentials (most likely harvested by business email compromise activities, like phishing attacks).

This is why it is essential to have the highest security standards if your organization is entrusted to keep sensitive healthcare information. But it's also important to recognize that hackers are more sophisticated and savvier than ever. Bad actors are all over the Dark Web and are working tirelessly to break through protections for a big payday. With more people working from home, health data security is increasingly challenging but vitally important. Here are three things to keep in mind when protecting healthcare data.

Prepare to Be Hacked
Sooner or later, your organization is going to be hacked. What's important is how quickly your organization's security team can detect and contain the hack. The healthcare industry has traditionally prioritized preventing data hacks over detecting and containing them, which puts companies in a position of weakness. Verizon's 2020 data breach report found that while detection and response to breach events have generally improved, over 25% of breaches went undiscovered for months.

Organizations should create a balance among prevention, detection, and containment, and proactively build firewalls of protection as well as implement detective controls and response mechanisms. The key is knowing that a breach has occurred in real time, and then having predefined plans for responding to, containing, and recovering from the incident. By failing to identify a data breach quickly, a company could increase costs by 30% to deal with the breach, leaving the individuals who had data exposed vulnerable. Preparations are straightforward and can be based on well-established security protocols and safeguards. For example, organizations that leverage cloud-provisioned applications (for example, Office365, Google Apps, Box, AWS, Salesforce, etc.), will find the deployment of multifactor authentication tools as a prudent and effective protection mechanism.

Protections Must Go Beyond HIPAA
While complying with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Trust (HITRUST) Alliance are good starting points, organizations should go beyond these regulations as they establish only the minimum requirements for compliance with the federal rules. Consumers have concerns about the protection of their individually identifiable healthcare information and expect organizations that hold their data to do more than just what is required by law to protect that information.

The ultimate security certification is called SOC 2 Type II — and it's what organizations should strive for. It is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. A company that has achieved SOC 2 Type II has proved its system is designed to keep sensitive data secure.

Practice Good Cyber Hygiene
Sometimes, lack of employee diligence is the reason systems get hacked. For example, many people's out-of-office messages give too many details, such as "for help with this, contact this person," which allows hackers to see a chain of command and contact information for other people at the company. Unfortunately, there are always bad actors looking to profit from situations and instances like these by leveraging the abnormality of operations to encourage unsuspecting employees to take actions they otherwise would not. Make employees aware of phishing attempts, such as emails with "breaking news" related to COVID-19, or the usual scam fodder with emails about the election cycle or the extension of tax season. Altogether, this makes it a very dangerous time for healthcare information and the organizations entrusted with it.

Remind employees to continue to practice good cyber hygiene and socially engineering standards. Don't open an unexpected email and attachments. Don't open email from an unknown or untrusted source. Don't fall victim for those sensational email headlines and text messages.

Once compromised, the confidentiality of hacked data cannot be restored. With more people working remotely than ever during the pandemic, we do not yet know what the new normal will look like or when we will get there. But our workplaces and work habits have been changed permanently because of it. It is likely prudent to assume we have entered the realm of the perimeter-free workplace, and that remote work combined with less populated and less-dense office locations will be part of that future new normal. Now is the time to evaluate and assess what that might look like for each of our organizations and do what we can to protect healthcare data.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event.
 

David is a Senior Vice President, CIO and CISO at Welltok, where he leads an award-winning security team and is a highly-regarded industry expert who emphasizes the importance of early detection and higher privacy standards for healthcare entities. He is responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9417
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
CVE-2020-15264
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
CVE-2020-15269
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
CVE-2019-9080
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
CVE-2020-15931
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...