[BreachExchange] 5 best practices to avoid the pain of a health care data breach

Tue Jun 20 18:58:38 EDT 2017

http://thirdcertainty.com/guest-essays/5-best-practices-
to-avoid-the-pain-of-a-health-care-data-breach/

Researchers agree—health care is now one of the top three targets for cyber
attackers. No matter what type of health care facility you work in—a large
research hospital, clinic, regional medical center, health insurance
company, or a company that provides business or clinical services for
health care—the data you work with is worth millions of dollars on the dark
web. And attackers can hold a hospital hostage, almost instantly halt
operations, and disrupt critical medical processes.

Unlike financial data, with its built-in mechanisms for stopping suspicious
payments and protecting accounts, personal medical data is immutable. Once
it is stolen, the individuals to whom it rightfully belongs are at risk for
identity theft, impersonation and financial fraud, without any way to
protect themselves.

For health care organizations, data breach costs are high, averaging $355
per lost or stolen record, as compared to the costs for data theft from
educational ($246), research ($112), and public sector entities ($80),
according to Ponemon Institute’s “2016 Cost of Data Breach Study: Global
Analysis.” Moreover, breached organizations often are subjected to
lawsuits, which can run costs into millions of dollars. Breaches also can
ruin an organization’s reputation and destroy client trust.

Health care organizations should consider cyber protection a top priority.
For maximum efficacy, it is best to approach cyber protection holistically.

Fortunately, implementing security best practices immediately reduces the
risk of cyber compromise throughout the organization. The five practices
described here permit hospital CISOs, CIOs, security team, and IT teams to
start protecting valuable data.

*Train employees*

Technical, administrative, and clinical staff must understand the
importance of practices such as never sharing passwords; avoiding the use
of default passwords and system configurations; changing passwords
regularly; patching systems to remain current; learning to spot suspicious
emails, and not clicking on embedded email links or attachments. Regular
follow-up training should make sure best practices are followed and adapted
as the threat landscape changes.

*Encrypt data*

Data should be encrypted, both in transit over the network or in email, and
while stored, using Transport Layer Security (TLS) 1.2 or higher and AES
256 or higher. Data encryption protects against attackers who manage to
breach other defenses and against man-in-the-middle attacks, in which a
malicious actor intercepts communications to gain access to sensitive data.

*Back up everything*

Data backups are crucial, especially to combat aggressive ransomware
attacks. The only way to return systems and devices to normal after a
successful ransomware attack is to restore from a clean backup. Back up
business, medical, device, email and other data on a regular schedule, and
keep backups in multiple physical locations.

*Perform regular scanning*

Health care organizations must regularly scan their networks, workstations,
mobile devices, and applications against known vulnerabilities. Cyber
attacks can enter through an organization’s network, wireless network,
applications, devices and the physical environment itself. Unlike an
enterprise into which only badged personnel or approved visitors can enter,
anyone can walk into a hospital. Visitors can easily hear a conversation
while standing in line, look over materials sitting out in the open, and
even plug a USB device into a wheeled nurse’s cart or other accessible
device. High risk also is associated with any text, chat and email messages
that the organization sends patients on their mobile devices.

*Conduct regular threat modeling*

Threat modeling and penetration testing exercises describe current threats
and reveal how attackers can target your organization. They identify
systems that can be leveraged to exploit vulnerabilities and potential
entry points into networks, applications and devices. And they help an
organization effectively address weaknesses. Threat modeling and
penetration exercises should be repeated regularly.

*Putting basics in place*

The security best practices described here provide organizations with
robust and proven protection against cyber theft of health care data. By
implementing these practices, health care facilities and organizations will
significantly improve their security postures without compromising services
for patients and their families.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170620/c634779e/attachment.html>