[BreachExchange] 3 Ways to Flatten the Health Data Hacking Curve

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/3-ways-to-flatten-the-health-data-hacking-curve/a/d-id/1338164

With more people working from home, health data security is more
challenging but vitally important. These tips can help safeguard
healthcare data.

Healthcare data is being hacked at alarming rates, and we might know
why. According to a study by Trustwave, banking and credit data is
worth $5.40 per record on the Dark Web, while healthcare records are
worth over $250 each. This is because healthcare records typically
contain virtually all the private and protected information that
exists for that person, including banking and credit card data.

The rate that health systems are being targeted in phishing and social
engineering scams continues to increase. Comparing data from Verizon's
2016 and 2019 data breach reports, there has been a threefold increase
in both the number of data incidents and the number of actual data
breaches arising from those incidents. Further, those numbers are
still growing in 2020. (The 2020 version shows a shocking 71% increase
in breaches of healthcare information. It also shows 43% of phishing
attacks, and malware that steals passwords, originated from the cloud.
This is a twofold increase since 2019.)

The 2020 Verizon report also found 70% of all computer hacks were
completed by external actors, and 55% were completed by organized
crime groups. Is your organization as prepared to protect data as
hackers are in their intent to compromise it? The same report goes on
to note that 86% of the identified breaches were financially
motivated, with nearly 90% of all breaches being carried out by either
brute-force attack against "breakable" passwords or with stolen
credentials (most likely harvested by business email compromise
activities, like phishing attacks).

This is why it is essential to have the highest security standards if
your organization is entrusted to keep sensitive healthcare
information. But it's also important to recognize that hackers are
more sophisticated and savvier than ever. Bad actors are all over the
Dark Web and are working tirelessly to break through protections for a
big payday. With more people working from home, health data security
is increasingly challenging but vitally important. Here are three
things to keep in mind when protecting healthcare data.

Prepare to Be Hacked
Sooner or later, your organization is going to be hacked. What's
important is how quickly your organization's security team can detect
and contain the hack. The healthcare industry has traditionally
prioritized preventing data hacks over detecting and containing them,
which puts companies in a position of weakness. Verizon's 2020 data
breach report found that while detection and response to breach events
have generally improved, over 25% of breaches went undiscovered for
months.

Organizations should create a balance among prevention, detection, and
containment, and proactively build firewalls of protection as well as
implement detective controls and response mechanisms. The key is
knowing that a breach has occurred in real time, and then having
predefined plans for responding to, containing, and recovering from
the incident. By failing to identify a data breach quickly, a company
could increase costs by 30% to deal with the breach, leaving the
individuals who had data exposed vulnerable. Preparations are
straightforward and can be based on well-established security
protocols and safeguards. For example, organizations that leverage
cloud-provisioned applications (for example, Office365, Google Apps,
Box, AWS, Salesforce, etc.), will find the deployment of multifactor
authentication tools as a prudent and effective protection mechanism.

Protections Must Go Beyond HIPAA
While complying with the Health Insurance Portability and
Accountability Act (HIPAA) and the Health Information Trust (HITRUST)
Alliance are good starting points, organizations should go beyond
these regulations as they establish only the minimum requirements for
compliance with the federal rules. Consumers have concerns about the
protection of their individually identifiable healthcare information
and expect organizations that hold their data to do more than just
what is required by law to protect that information.

The ultimate security certification is called SOC 2 Type II — and it's
what organizations should strive for. It is the most comprehensive
certification within the Systems and Organization Controls (SOC)
protocol. A company that has achieved SOC 2 Type II has proved its
system is designed to keep sensitive data secure.

Without ongoing validation that security solutions are working as
promised, businesses can be caught off-guard when an attempted hack is
successful, and the financial impact and cost to brand reputation can
be highly disruptive and long-lasting.

Practice Good Cyber Hygiene
Sometimes, lack of employee diligence is the reason systems get
hacked. For example, many people's out-of-office messages give too
many details, such as "for help with this, contact this person," which
allows hackers to see a chain of command and contact information for
other people at the company. Unfortunately, there are always bad
actors looking to profit from situations and instances like these by
leveraging the abnormality of operations to encourage unsuspecting
employees to take actions they otherwise would not. Make employees
aware of phishing attempts, such as emails with "breaking news"
related to COVID-19, or the usual scam fodder with emails about the
election cycle or the extension of tax season. Altogether, this makes
it a very dangerous time for healthcare information and the
organizations entrusted with it.

Remind employees to continue to practice good cyber hygiene and
socially engineering standards. Don't open an unexpected email and
attachments. Don't open email from an unknown or untrusted source.
Don't fall victim for those sensational email headlines and text
messages.

Once compromised, the confidentiality of hacked data cannot be
restored. With more people working remotely than ever during the
pandemic, we do not yet know what the new normal will look like or
when we will get there. But our workplaces and work habits have been
changed permanently because of it. It is likely prudent to assume we
have entered the realm of the perimeter-free workplace, and that
remote work combined with less populated and less-dense office
locations will be part of that future new normal. Now is the time to
evaluate and assess what that might look like for each of our
organizations and do what we can to protect healthcare data.