Yes, You Can Prevent that Healthcare Data Breach

Reggie Best, CEO, Lumeta, a FireMon Company
DECEMBER 05, 2018
data breach,health data breach,prevent data breach
Healthcare organizations can take proactive steps to could help prevent a data breach.

Healthcare organizations are trusted by their patients to be custodians of massive amounts of highly confidential data, namely, patient health records, payment details and other personally identifiable information (e.g., Social Security numbers). These data are highly valued on the black market, making healthcare one of the most targeted industries by hackers and other cybercriminals.

According to HIPAA Journal, U.S. healthcare data breaches are reported at the rate of one per day, with hacking emerging as a dominant activity causing the breach of data. Since the inception of breach activity reporting in 2009, more than 176 million health records have been exposed — that figure is greater than 50 percent of the U.S. population. Clearly, patient trust in the safety of their healthcare information is misplaced — and storing and keeping private data, well, private is a massive challenge for the U.S. healthcare industry.

>> READ: 5 Steps to Prepare for Communication Challenges After a Data Breach

But as scary as this sounds, it’s probably just the opening round in a topic that may have even more far-reaching implications in the future. What happens if or when hacker behavior affects patient outcomes? We’ve seen a raft of ransomware attacks in healthcare lately — attacks that hold data hostage, awaiting payment of a ransom to the bad actor. Timely access to accurate information in this age of healthcare digital transformation is likely to be impactful on those highly regarded and valued patient outcomes. It’s not just about reputation and loss of records anymore. It’s about life and death. What happens when the patient information, inevitably, becomes richer, likely involving our individual DNA genetics and customized treatments based on that? How important will it be then to safeguard the patient’s information?

As the cloud computing shift continues and the healthcare industry continues to incorporate new technologies into its arsenal, safeguarding data becomes even more challenging. With digital transformation of this size and scope comes new security challenges introduced via third-party providers and internet of things (IoT)-connected devices, for example.

Some of the most common security challenges facing healthcare organizations today include:
  • A lack of visibility into what they have — endpoint assets — in the IP-based network. This includes undocumented and legacy systems, including IP-enabled, wireless medical devices connecting to the network.
  • A lack of visibility into what the network is, whether that infrastructure is being managed and whether there are vulnerabilities due to unknown and unmanaged systems or paths, which can be more easily exploited by bad actors.
  • Network infrastructure, configuration and path risks resulting from mergers and acquisitions (M&As) and an expanding digital ecosystem of third parties.
  • Rapidly expanding visibility gaps due to digital transformation and migration to hybrid-cloud datacenter workloads.


Technology Challenges in Securing IoT Environments

Any IP-based device can expose an organization to a data breach. Most staff aren’t IT or security specialists, and they do not understand how IP-based devices can be compromised. In addition, most organizations cannot identify the number of computer systems, endpoints or medical devices on their network(s), let alone monitor them in real-time.

Printers and cameras are two well-known classes of IoT devices that exist on most business networks, including within healthcare. There are well-documented, even sensational, stories about how networked printers were compromised, serving as part of a botnet army to disrupt network traffic. And there have been similar cases of cameras being compromised by a bad actor to eavesdrop on local activity. What about lighting/power control systems, infusion pumps, heart monitors, dialysis equipment, X-ray, MRI and CAT imaging equipment? The only difference is that, if those medical devices are compromised, it might impact a patient outcome.

>> READ: Healthcare System Neglect Is Top Cause of Data Breaches

Current solutions, readily available in the market today or commonly used by many organizations, are fundamentally flawed at providing the full visibility needed to secure healthcare networks effectively. On average, our empirical data in production environments shows that over 40 percent of today’s dynamic networks, endpoints and cloud infrastructure are unknown, unmanaged, rogue or participating in shadow IT, leading to significant infrastructure blind spots. This indicates an astounding lack of real-time awareness to prevent attackers from compromising systems.


Segmentation Is Critical

Once the right visibility tools are in place, large networks can and should be broken down to allow authorized communications to traverse only authorized areas of the network, while disallowing unauthorized activity. Anything touching the network should be segmented by type, purpose, access rights, and/or solution type.

In a hospital setting, do you want your patient wireless networks to have paths or connectivity to your billing and financial systems, which are likely covered under Payment Card Industry (PCI) requirements? What about life-saving medical devices sitting on the same network segments as employee wireless connectivity? Probably not, as these high-risk examples expose the more sensitive use cases (PCI and life-saving devices) to bad behavior and compromise.

How do you know this isn’t a problem on your own network? More than just knowing that a device is on the network, IT teams need to have tight control over where they are, what they are doing and who they’re communicating with, always. Devices should never be trusted unless authorized. Segmentation rules should be implemented, with policies updated frequently and tested or validated for erroneous changes, such as via human error or rogue activity.

In the past, medical devices, were traditionally “closed” because of proprietary communications protocols, limited connectivity and operating systems that were incompatible with traditional IT. As that has changed with everything now IP-enabled, walls come down — enabling beneficial communications and data sharing but exposing the operational technology (medical device) environments to greater security risk. Segmentation and active network infrastructure monitoring for vulnerabilities enable you to securely take advantage of the IP-enablement benefits.

Here is a list of criteria that healthcare providers and related organizations need to consider to the lower risk of a breach:
  • Find a security solution that provides you with the most comprehensive visibility across the entire network, including connectivity across distributed medical facilities.
  • Harden all systems against attack by implementing a vulnerability management program; gain visibility into risk and asset priority; and subsequently limit the exploitation of systems and medical devices that could lead to compromise.
  • Manage risk throughout the process of merging acquired companies’ IT infrastructure as well as integrating partner systems to provide seamless network availability, while ensuring medical records are still protected from theft.
  • Develop, test and continuously validate segmentation policies to secure more sensitive and restricted areas of the network.
  • Identify leaks across protected zones or unauthorized paths to or from the internet in real time to prevent them from being exploited by a malicious actor.
  • Match successful on-premise regulatory compliance with cloud-based adoption of hosted and managed infrastructure defined by the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

Reggie Best
Reggie has a technology background with BE and MS degrees in EE and more than 25 years of experience in communications, networking and IT security. He’s currently the CEO of Lumeta, a FireMon company focused on delivering cyber situational awareness for complete real-time visibility into the extended network and across all connected endpoints.

Reggie has been involved in the founding of three start-up companies, which successfully progressed to M&A, including Teleos Communications (sold to Madge Networks), AccessWorks (sold to 3Com) and Netilla Networks (sold to AEP Networks). Prior to joining Lumeta, Reggie was president and chief operating officer at ProtonMedia, where he oversaw the operations and product teams. He started his career at Bell Labs, the R&D arm of AT&T.

Get the best insights in healthcare analytics directly to your inbox. Register for our daily newsletter.

Related
Yes, Healthcare’s Data Breach Problem Really Is That Bad
How the Atrium Health Data Breach Unfolded
What to Do Before and After a Data Breach
 

SHARE THIS SHARE THIS
23
Become a contributor