Naturally, healthcare service providers were keen to switch from paper-based health records to electronic health records (EHRs), as doing so makes it a lot faster and easier to access patient data and improve patient care. However, healthcare service providers, including any third-parties they are affiliated with, need to find a way to balance the risks and rewards.
According to a recent article by Spohn Solutions, ePHI (Protected Health Information) is the most valuable data sold on the dark web. As such, health records are a prime target for cyber-criminals. On one hand, they must protect the patients’ privacy, whilst being able to deliver the required information in timely manner to those who need it.
On top of which, healthcare providers are required comply with various data protection regulations, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), and the GDPR (General Data Protection Regulation), which came into effect on May 2018. So, what can healthcare organisations do to better protect their sensitive data, whilst ensuring its availability?
Are Perimeter Defenses Enough?
While not as relevant as they used to be, perimeter defenses, such as Intrusion Detection and Prevent Systems (IDPSs), still provide a necessary layer of security. They provide application policy enforcement and volume tracking, and protection against zero-day exploits, IP spoofing and DoS attacks. They can detect and analyses a wide range of different protocols, decrypt and decapsulate traffic and inspect the payload. Most advanced IDPS systems use advanced threat intelligence to identify known attack signatures.
However, these days perimeter defenses alone provide insufficient protection against security threats, as most healthcare related breaches are, in some way or another, caused by negligent employee’s. According to the 2018 Verizon Data Breach Investigation Report, healthcare is the only industry vertical where insider threats outnumber external threats. Given that insider threats can manifest in a large number of ways, due to the size of the attack surface, a detailed guide into mitigating such threats is beyond the scope of this document. However, below is a summary of the key points healthcare providers need to consider in order to strengthen their security posture.
Strengthening Security Posture
Naturally, security awareness training is the most effective approach to ensuring that their employees are able to identify potential security threats. In addition to educating employees, healthcare providers must have a clear understanding about who, what, where and when, changes are made to their sensitive data. Before they can monitor such changes, they need to know exactly where their sensitive data resides.
It is likely that most providers will have adopted some form of classification system when transferring their data from paper-based records to ePHI. However, if this is not the case, they will need to implement some sort of data discovery and classification solution. Likewise, many organizations will have the same data stored in multiple places, which will inevitably widen the attack surface. As such, it may be worth installing a third-party solution which can identify duplicate datasets and replace these duplicates with a link/reference to the original data.
All sensitive data must be encrypted – both at rest and in transit. Data Loss Prevention (DLP) tools can used to prevent unencrypted sensitive data from leaving the network.
Once they have discovered and classified their data, they will need to setup access controls to ensure that employees are not able to access data they don’t need to perform their role.
Using a DCAP (Data-Centric Audit & Protection) solution, like LepideAuditor, you can easily detect and respond to any suspicious changes made to files and folders in real time.