[BreachExchange] 4 healthcare data breach lessons to take to heart

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 2 20:24:23 EST 2016


http://www.beckershospitalreview.com/healthcare-information-technology/4-healthcare-data-breach-lessons-to-take-to-heart.html

Hospitals, health systems, payers and any organization with stewardship of
healthcare data are prime targets for cyberattacks. And there are plenty of
cautionary tales showing just how much damage hackers can do, with the
recent Hollywood Presbyterian Medical Center
<http://www.beckershospitalreview.com/healthcare-information-technology/hospital-pays-17k-ransom-to-get-medical-records-back-from-hackers.html>
ransomware attack and last year's massive Anthem
<http://www.beckershospitalreview.com/healthcare-information-technology/hackers-break-into-anthem-8-thing-to-know.html>
breach being just two incidents on a long list. While no healthcare
organization will ever be completely invulnerable to such attacks, they can
learn from others' mistakes.

Here are four lessons healthcare providers can consider when thinking about
data breach prevention and preparedness.

*1. Don't fall prey to known vulnerabilities*. The magnitude and frequency
of healthcare data breaches may seem shocking, but in most cases the root
causes are anything but a surprise. "Well over 90 percent of data breaches
last year were the result of hackers taking advantage of well-known
vulnerabilities," says Mac McMillan, CEO and co-founder of information
security and privacy consulting firm CynergisTek. "These were not super
sophisticated attacks." Proper patch management, up-to-date next-generation
firewalls, malware and antivirus filters and automated attack detection
methods go a long way in data breach prevention. All of these security
layers are standard fare. It is just common to let these strategies fall by
the wayside, despite the potential for severe consequences, he says.

*2. Utilize experience-based training*. Data breaches are equal parts a
tech problem and a people problem. The technology has to be up-to-date and
prepared to detect and deflect attempted breaches, but the best technology
can only do so much if the people using it are not just as vigilant.
Typical hospital and healthcare cybersecurity training involves a crash
course in basic terms, i.e. "What is malware," with a brief, yearly
refresher.

Mr. McMillan recommends an alternate course with a much more hands-on
approach. "Take a group of people and immerse them in an incident. Allow
them to experience it in real time and ask themselves 'What will I do now?'
This is much more meaningful. They have a better appreciation for what an
incident could really be like," he says.

For example, CynergisTek creates false phishing emails tied to quick
training sessions.
If an employee opens the email, he or she is immediately taken through a
brief session detailing the potential consequences of opening such an email
and what should have been done instead. "You can teach so much more in a 20
minute simulation than in an hour long discussion," says Mr. McMillan.

*3. Consider a third party for security audits*. Healthcare, though a
unique field, can learn much from other from other industries. The airline
and hotel industries offer insights into customer service, for instance,
and startup culture shows healthcare what it can mean to innovate. When it
comes to cybersecurity, healthcare can learn from the banking and financial
industry, retail and nearly any other highly-targeted field. "At the end of
the day, data are data and systems are systems. It does not matter what
kind of information you are processing. The way the bad guys attack other
industries is how they attack healthcare," he says.

Healthcare providers frequently keep all security functions in-house, but
Mr. McMillan cautions against eschewing the benefit of an outside set of
eyes. "We need to stop this nonsense of testing ourselves. Healthcare is
the only regulated industry that thinks it can do its own security audits.
You need an objective, third-party assessment," he says. A third-party firm
will have the benefit of high level industry awareness and an outsider's
objective ability to see what someone immersed in a hospital's data and
strategies everyday cannot.

*4.  Create a contingency plan*. No matter how ironclad a hospital or
health system believes its cybersecurity strategy to be, there is always
the possibility of a breach. Rather than relying on the assumption a breach
will never happen, operate under the assumption it could happen at any
time. Create a plan for what to do when that day comes. "That hospital
[Hollywood Presbyterian] did not have a good plan for how to continue care
when they lost their network."

What would happen if your organization lost access to its data, to its
network or electronic communication? Have answers for those questions.
Build the necessary relationships to handle any of those situations in
reality. "When you are in the midst of a fire, you don't want to be running
around looking for the fireman," he says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160302/00b54c00/attachment-0001.html>


More information about the BreachExchange mailing list