The healthcare industry continues to be plagued by cyber-attacks. So far in 2018, 1.4M records were breached in a phishing attack on UnityPoint Health. 38,000 patient records at were stolen from Legacy Health, and a data breach was disclosed involving 417,000 patient records from Augusta University. This is just the tip of the iceberg.
Medical records remain as lucrative as ever – selling for as much a $50 per individual on the dark web – and said to be 10 Times More Valuable Than Credit Card Info. Medical records include a variety of information such as names, social security numbers, birthdates and other information relating to a subject’s health. Why are they worth so much? Healthcare records can be used for many different purposes, including identity theft, healthcare fraud, tax fraud, blackmail/extortion, and so on. Unlike credit card numbers, which may expire or be cancelled by the owner in the event of a breach, health records contain information that doesn’t change, and thus retain their value.
Despite the vast number of healthcare data breaches, the healthcare industry is one of the most heavily regulated industries in the world. However, just because a healthcare organization is compliant, doesn’t necessary mean they won’t fall victim to a data breach. The problem that most healthcare organisations are faced with is that they lack resources. It is typical for healthcare IT departments to be understaffed, and non-IT staff members are rarely given the training necessary to identify potential security threats.
According to a report by Verizon, 66% of security incidents are the result of privilege misuse – the only industry where privileged users represent the greatest security threat. There are 5 key steps that healthcare organizations can take to prevent internal actors from leaking sensitive information.
1. Educate Employees About Security Best Practices
Create a security culture where security training is integrated into day-to-day activities. IT departments will need to put more pressure on management to secure the funds necessary to provide ongoing training and testing. Employees and contractors need to be fully aware of phishing and social engineering attacks, know how to identify and report them, and understand the ramifications of a data breach.
2. Encrypt All Sensitive Data
Sensitive data must be encrypted both at rest and in transit. Lost and stolen devices containing unencrypted data continue to be a major security threat for healthcare organisations. Data encryption is a relatively easy and cost-effective technique for securing sensitive data.
3. Enforce Least Privilege Access
Secure you sensitive data using Role-Based Access Control (RBAC). Ensure that staff members are only granted the privileges necessary for them to adequately perform their duties. Use a sophisticated auditing solution to monitor access permissions and receive real-time alerts when they change.
4. Use Two-Factor Authentication
2FA is based on something you know and something you have. Not only does it strengthen security, but it allows organisations to implement advance login functionality such as a single sign-on. 2FA is also cost-effective and easy to install. 2FA should be used across the entire organisation, including third-party contractors. Additionally, it is good practice to automate the process of reminding users to reset their passwords and detect suspicious login activity using “threshold alerting”.
5. Audit Sensitive Data
If organisations are not able to quickly and accurately determine who is accessing, modifying, moving or deleting sensitive data, they will not be able to keep their data secure. There are a number of change auditing tools like LepideAuditor which can detect, alert and respond to suspicious file and folder activity, permission changes, unauthorized access of your sensitive data and mailboxes and much more.