According to research carried out by NetDiligence – a cyber risk assessment and data breach services company – Healthcare and Professional Services were the most breached sectors. The healthcare industry accounted for 18% of all breaches, with an average cost of $717K per breach. 63% of these breaches were the result of “criminal or malicious activity”, with hacking being the most common cause of data loss (20%).
Ransomware attacks continue to burden the industry – costing services providers an average of $76,000 per incident. To make matters worse, a report by Symantec states that “the number of breach incidents continues to grow about 10 percent each year”.
There are several factors that are resulting in the exposure of sensitive ePHI:
Healthcare service providers store vast amounts of sensitive patient information. This, combined with the transition from paper-based to electronic health records, has resulted in a landscape that is attractive to cyber-criminals.
Health records are very valuable. Unlike credit cards which can only be used until they expire, reach their maximum usage limit or get cancelled, electronic health information (EHI) can be used multiple times for multiple purposes. For example, Social Security numbers never expire, and fraudulent use of SSNs cannot be easily detected. EHI can also be used to obtain prescription drugs, open a bank account, apply for a passport/driver’s licence, and file fraudulent tax returns and insurance claims.
The healthcare industry is recognised as “critical infrastructure”, thus making it a prime target for hacktivists and nation states.
Health records are accessed for many reasons, by many practitioners, and from many different locations. The level of organisational complexity faced by many service providers makes it difficult for them to track and verify the usage of EHI and apply the necessary security controls.
Healthcare service providers often have limited staff and operate on limited budgets. The lack of resources means that they are often using outdated computer systems and fail to deliver the training necessary to ensure that staff members are well informed about security best practices.
With an increase in the number of attacks on software supply chains, Internet of Things (IoT) and industrial control systems (ICS) used in healthcare, we are likely to more sophisticated attacks on the horizon.
How Can Service Providers Improve Their Security Posture with Limited Resources?
It stands to reason that service providers can only do what they can do with the resources available to them. As such, cost effective solutions are required to automate security tasks and minimize the likelihood of a breach. Given that healthcare is “the only industry where insider threats outnumber external threats”, it naturally makes sense to focus on areas such as privilege misuse, password rotation, and unauthorised access to sensitive patient data.
Fortunately, there are solutions available that can automatically detect, alert, report and respond to privileged account misuse, suspicious file and folder activity and inactive user accounts. They can automate the process of reminding users to reset their passwords, thus helping to reduce the attack surface. Deploying a change auditing solution like LepideAuditor can have a drastic effect on your ability to detect and respond to threats as well as help you meet strict healthcare-related compliance mandates more easily.