In light of the recent Premera and Anthem breaches, a spotlight is now shining on healthcare businesses, regarding their ability to defend patients’ sensitive information. Security wonks have been warning for years that healthcare businesses are in a lot of trouble, security-wise. Criminals are targeting medical records because of their value, and as a result, medical breaches are the fastest growing type of breach. What can businesses do to get themselves out of the crosshairs?
According to the Identity Theft Resource Center, there were 783 medical breaches in 2014, compared with 614 breaches on the 2013 ITRC Breach List, a dramatic increase of 27.5 percent year over year. This has put healthcare industry breaches in first place for the largest number of breaches, for the last several years running, with over 40% of the total number of breaches. This is no surprise: medical records are worth more on the black market than payment card data.
So what can healthcare businesses do to help reverse this trend?
It is important to understand that there is no such thing as perfect security if you have a sufficiently determined adversary, but this does not mean we should not try to decrease risk and try to mitigate the damage if a security incident does occur. The biggest part of being successful at risk mitigation is decreasing the value of any one piece of the security puzzle, if it is successfully stolen. For instance, if an employee’s username and password are phished, they are of limited use if another factor of authentication is required to log into the user’s accounts.
Here are five things businesses should be doing to help decrease risk and mitigate damage in case of a breach:
Regularly and promptly updating all software is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into machines. And vendors often provide updates at no cost. When you get a notice from your vendor, be sure to go directly to the vendor’s website to get the update as soon as possible. This can be particularly problematic for medical machines, as older devices may still be running a version of Windows XP. This should either motivate businesses to upgrade those machines as soon as possible, or to at least put additional protection in place around the more vulnerable machines.
Passwords are not enough
If you are protecting lots of patient data, a password alone is not enough. Consider two-factor authentication. This can be a biometric like a fingerprint or a one-time passcode that is provided to you, via a small digital key card or fob, or even an app on your smartphone.
Principle of Least Privilege
The Principle of Least Privilege simply means that no person, machine, or system should have access to things they do not strictly need. For instance: Financial data should be in a different part of the network, and completely cut off from people who do not need to access it. And very few people, if any, should have Administrator-level access rights on their own machine. Any time you can restrict access without disrupting people’s ability to do their job, you should.
When we have something that is valuable, we lock it up when it is not in use. It is the same with data; if you have valuable data, it should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from end to end minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
Do not expect one security product to protect you against every possible threat. Make sure you have an anti-malware suite on all devices that access your network (do not forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). You should also have a firewall at the gateway to your network and on all your individual machines.
Medical records are likely to remain a tempting target as long as there is a sufficient return on criminals’ investment of time and effort. It is important for healthcare practitioners and businesses to take extra care of their patients’ data, as well as their health. By increasing security, you can decrease the return on investment for criminals, and they may pass your organization by.
Author Lysa Myers, ESET