Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/30/2020
10:00 AM
David MacLeod
David MacLeod
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways to Flatten the Health Data Hacking Curve

With more people working from home, health data security is more challenging but vitally important. These tips can help safeguard healthcare data.

Healthcare data is being hacked at alarming rates, and we might know why. According to a study by Trustwave, banking and credit data is worth $5.40 per record on the Dark Web, while healthcare records are worth over $250 each. This is because healthcare records typically contain virtually all the private and protected information that exists for that person, including banking and credit card data.

The rate that health systems are being targeted in phishing and social engineering scams continues to increase. Comparing data from Verizon's 2016 and 2019 data breach reports, there has been a threefold increase in both the number of data incidents and the number of actual data breaches arising from those incidents. Further, those numbers are still growing in 2020. (The 2020 version shows a shocking 71% increase in breaches of healthcare information. It also shows 43% of phishing attacks, and malware that steals passwords, originated from the cloud. This is a twofold increase since 2019.)

The 2020 Verizon report also found 70% of all computer hacks were completed by external actors, and 55% were completed by organized crime groups. Is your organization as prepared to protect data as hackers are in their intent to compromise it? The same report goes on to note that 86% of the identified breaches were financially motivated, with nearly 90% of all breaches being carried out by either brute-force attack against "breakable" passwords or with stolen credentials (most likely harvested by business email compromise activities, like phishing attacks).

This is why it is essential to have the highest security standards if your organization is entrusted to keep sensitive healthcare information. But it's also important to recognize that hackers are more sophisticated and savvier than ever. Bad actors are all over the Dark Web and are working tirelessly to break through protections for a big payday. With more people working from home, health data security is increasingly challenging but vitally important. Here are three things to keep in mind when protecting healthcare data.

Prepare to Be Hacked
Sooner or later, your organization is going to be hacked. What's important is how quickly your organization's security team can detect and contain the hack. The healthcare industry has traditionally prioritized preventing data hacks over detecting and containing them, which puts companies in a position of weakness. Verizon's 2020 data breach report found that while detection and response to breach events have generally improved, over 25% of breaches went undiscovered for months.

Organizations should create a balance among prevention, detection, and containment, and proactively build firewalls of protection as well as implement detective controls and response mechanisms. The key is knowing that a breach has occurred in real time, and then having predefined plans for responding to, containing, and recovering from the incident. By failing to identify a data breach quickly, a company could increase costs by 30% to deal with the breach, leaving the individuals who had data exposed vulnerable. Preparations are straightforward and can be based on well-established security protocols and safeguards. For example, organizations that leverage cloud-provisioned applications (for example, Office365, Google Apps, Box, AWS, Salesforce, etc.), will find the deployment of multifactor authentication tools as a prudent and effective protection mechanism.

Protections Must Go Beyond HIPAA
While complying with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Trust (HITRUST) Alliance are good starting points, organizations should go beyond these regulations as they establish only the minimum requirements for compliance with the federal rules. Consumers have concerns about the protection of their individually identifiable healthcare information and expect organizations that hold their data to do more than just what is required by law to protect that information.

The ultimate security certification is called SOC 2 Type II — and it's what organizations should strive for. It is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. A company that has achieved SOC 2 Type II has proved its system is designed to keep sensitive data secure.

Practice Good Cyber Hygiene
Sometimes, lack of employee diligence is the reason systems get hacked. For example, many people's out-of-office messages give too many details, such as "for help with this, contact this person," which allows hackers to see a chain of command and contact information for other people at the company. Unfortunately, there are always bad actors looking to profit from situations and instances like these by leveraging the abnormality of operations to encourage unsuspecting employees to take actions they otherwise would not. Make employees aware of phishing attempts, such as emails with "breaking news" related to COVID-19, or the usual scam fodder with emails about the election cycle or the extension of tax season. Altogether, this makes it a very dangerous time for healthcare information and the organizations entrusted with it.

Remind employees to continue to practice good cyber hygiene and socially engineering standards. Don't open an unexpected email and attachments. Don't open email from an unknown or untrusted source. Don't fall victim for those sensational email headlines and text messages.

Once compromised, the confidentiality of hacked data cannot be restored. With more people working remotely than ever during the pandemic, we do not yet know what the new normal will look like or when we will get there. But our workplaces and work habits have been changed permanently because of it. It is likely prudent to assume we have entered the realm of the perimeter-free workplace, and that remote work combined with less populated and less-dense office locations will be part of that future new normal. Now is the time to evaluate and assess what that might look like for each of our organizations and do what we can to protect healthcare data.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event.
 

David is a Senior Vice President, CIO and CISO at Welltok, where he leads an award-winning security team and is a highly-regarded industry expert who emphasizes the importance of early detection and higher privacy standards for healthcare entities. He is responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.