Healthcare organizations have been hit hard by data breaches over the last several years, creating a cybercrime wave that has cost organizations millions of dollars and put vast amounts of patient data at risk.

In 2014, Tennessee-based Community Health Systems was breached twice, with hackers making off with the names, addresses, birthdates, and telephone numbers of 4.5 million patients. Then, in 2015, Anthem fell victim to a data breach that exposed nearly 79 million patient records. The organization agreed to pay the federal government $16 million to settle claims in October 2018. Furthermore, in 2018 alone, there were at least 8 major cybersecurity incidents within healthcare systems, including Advocate Health Care Network, which manages 12 hospitals and 200 other facilities in Illinois. In August, the company announced it would pay $5.5 million to the U.S. Health and Human Services Department for violations of federal patient privacy laws.

Healthcare organizations are under attack because, as outlaw Jesse James is claimed to have said, “That’s where the money is.” The cost of healthcare systems recovering from a breach is nearly $4 million, yet 41% of surveyed healthcare organizations indicate that less than 3% of their IT budgets are dedicated to security.

With a giant target on their backs, how are these organizations protecting themselves from the persistent threat of cybercriminals?

Healthcare—Follow the Money Healthcare organizations are a goldmine for cybercriminals. The black market value of a medical record averages $408, more than 3 times the going rate for a credit card record ($110). Breaches cost between $2.8 and $6 million in lost customer revenue. Some of the leading causes of attacks within healthcare systems include insider threats, internet of things (IoT) device breaches, targeted ransomware attacks, and supply chain vulnerabilities.

To defend against these incidents, healthcare organizations should implement a strong cybersecurity infrastructure to help protect against the varying threats to customers’ data. Part of building a strong defense is understanding the objectives and challenges of securing data in the healthcare industry:

Objectives:

  • Meet HIPAA requirements
  • Protect ePHI data
  • Build secure infrastructure
  • Secure medical end points
  • Enable seamless processes
  • Make security easy for end-users (e.g., doctors, nurses, administrators, etc.)

Challenges:

  • Meager understanding of the data landscape
  • Poor authentication controls
  • Weak role-based controls
  • Stubborn end-user adoption
  • Non-prescriptive requirements for HIPAA compliance
  • Inadequate point solutions that do not resolve potential ripple effects

Compliance Is Not Security

Healthcare companies may also have a false sense of safety since they are compliant with legal and regulatory requirements, such as HIPAA. Yet, nearly all the healthcare companies hacked in recent years have been compliant. Threat actors are persistent, innovative, and often one step ahead of the compliance standards designed to stop them. Compliance is not security.

To comply, for instance, you only need to demonstrate that your system meets minimum requirements during any period of time, as might be defined by your auditor. Security, on the other hand, requires continual monitoring and assessment of attack vectors and a changing risk environment. You need to protect against not just known threats, but also ones that haven’t been identified yet. Organizations need to respond dynamically to emerging threats, putting in place both proactive and reactive responses.

A few compliance and security factors to consider in your environment:

Compliance:

  • Do you know your scope?
  • Do you know your data within that scope?
  • Is compliance your baseline or objective?
  • Do you understand the compliance requirements?
  • Have you mapped to external requirements?
  • Are you following audit best practices?
  • Do you have the right security partner?

Security:

  • Do you know your adversaries?
  • Do you have the visibility you need?
  • Is your Operations appropriately configured and staffed?
  • Have you built a culture of security across your business?
  • Have you combined people + processes + technology?
  • Do you have appropriate measures in place?
  • Do you have trusted partners?

Ultimately security is built for threats, not compliance checklists. Can your organization address the incidents threatening healthcare systems, or are you simply checking compliance boxes? Your security program should be the driving force behind adherence to compliance standards, not the other way around.

Armor Anywhere: Security in the Public Cloud(s)

One way to protect valuable data is by partnering with a trusted security vendor. Armor provides cybersecurity to healthcare organizations through a shared responsibility model in which:

  • Public cloud customers manage and secure their workloads and data
  • Armor reduces the burden of these challenges by sharing both risk and responsibility
  • Armor security solutions were purpose-built to achieve a secure and HIPAA-compliant posture for workloads and data

Our cloud-based solution provides comprehensive data protection, secure data collection and management, threat intelligence, managed detection, continual response, and real-time visibility.

Threats to healthcare organizations are on the rise and simply complying with existing regulations will do little to protect your patients’ information. Armor can help you move from limited, reactive compliance to robust cybersecurity. For more information about how Armor’s cloud-based approach could work for your organization, get in touch. You can also watch the webinar that inspired this blog.