Healthcare Data Is The Holy Grail for Cyber Thieves

While some incidents are a result of lost or stolen files, sophisticated hackers looking to lift the treasure trove of information found in health records are now the leading cause of data loss

The threat isn’t likely to ease. Cybercrime is a “growing $6 billion epidemic that puts millions of patients and their information at risk,” according to a report on healthcare data security published last year by the Ponemon Institute.

To counter the growing threat, providers need to rethink their security strategies.

Rapid rise in medical identity theft

No longer are virus scanning and intrusion detection software sufficient.
“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things,” says Ronald Mehring, chief information security officer (CISO) for Texas Health Resources. “We’ve seen that with a multitude of breaches across organizations that have strong programs.”

The key, say experts, is a complex solution of multiple defense layers embedded with new data analysis techniques that can spot hackers before they can break into health data stores.

CIOs and their security staffs have to consider a class of more sophisticated tools that can sense when a breach is being attempted or already underway. For example, advanced classes of firewalls are aware of the applications running behind them and can take into consideration what is and isn’t normal traffic trying to access those applications.

Many organizations are turning to these types of layered protection, healthcare security professionals say.

“You want to have advanced application-level firewalls at the edge,” says David Reis, vice president of IT governance and security at Lahey Health, Burlington, Mass. “You want to have intrusion detection and prevention at the network layer inside the firewall to catch those things that get through the firewall. And then for the Internet-facing systems that you’re really worried about, you can put host-based intrusion detection on those very specific servers.”

But layered approaches alone may be incomplete because of threats burrowing in from the Internet, says Mehring. “Before, we looked at it like this iterative approach. Somebody comes in from the Internet, they hit an external firewall--some type of defense system that keeps them out, at the outer shell. Then if they make it past there, there is some other control, then some other control, and some other control. It doesn’t quite work that way anymore, because of the way users interact with technology, the Internet.”

Network protections can be thwarted when an employee unwisely falls prey to a phishing gambit, by either clicking on a hacker’s URL link or attachment. “Professionally and personally, that’s my biggest worry,” says Reis. Phishing attacks “can be incredibly effective, especially in the healthcare market where we’re all trained to be patient-centric, trained to be helpful.”

HIPAA has prompted health systems to elevate their efforts, adding encryption of data at rest, media protections, and backup and security protocols, says Russell Branzell, president and CEO of the College of Healthcare Information Management Executives. “It was the nudge we needed to get started, and most organizations generally have those in place today,” he says. Now they have to weigh technology “that measures and reacts to human nature and behavior.”

Barrier technologies are programmed to look for unique signatures of a finite number of viruses and other malware. “You need so many hits of people, machines, users getting infected in order for a rule, a pattern, a signature to be generated,” says Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. In contrast to rules-based responses to attackers, the newer behavior-based methods look for departures from normal activity.

It’s all about trying to stay even with hackers who are continually changing their attack modes. “Prevention now is far more important than it’s ever been,” Reis asserts. “Detection is important, but we’re putting a lot more of our focus on preventive measures rather than detection measures, because things happen so much more quickly now than they did even five years ago. If you wait until you’ve detected, you’ve had a really big event. The key now is to make sure that event doesn’t happen.”

“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things. ”

Increasingly, security technology is performing analyses on data coming from breach prevention and detection systems, sifting for suspicious activity, says Darren Lacey, CISO and director of IT compliance at Johns Hopkins University and its medical school. “Detection controls, what they do is they say, ‘Well, this thing is happening, and it looks kind of funny--what do you want me to do about it?’ ”

Answering those questions are a set of investigative controls, sometimes automated in their responses, but usually operated by a staff pro responding to alerts, says Lacey, adding, “Detection controls are most beneficial when they’re integrated well with investigating.” Information aggregated from the various detection points--firewalls, host-based protection systems, audited activity logs and so on--aid in “creating new prevention signatures and new prevention rules.” And if a detection system sees something get through, “that will shape what prevention controls you run in the future.”
Prevention controls at the outer rim of the IT network include lists of IP addresses known to be both destinations for stolen data and sources of command-and-control centers for a network of malware called bots, guiding them through a breached system looking for lucre. “But sometimes these botnets change IP addresses, so your preventive rule sets don’t tell you a lot,” says Lacey.

A detection system might identify a new IP address to which several devices inside an IT network are communicating back and forth, for unknown reasons. Chances are that something suspicious is in play, Lacey explains, and an alert is triggered for investigation. The first response likely is to set up a new preventive control, adding the address to the block list. If it prevents a compromised computer from communicating back to an outlaw site, “that greatly reduces the amount of damage that bots can do.”

10 Top Health Data Hacks

The giant breach at health insurer Anthem (previously WellPoint) potentially affecting up to 80 million insured members and employees, reminds us that the hacking threat to protected health information is persistent and growing. The HHS Office for Civil Rights Web site of large breaches lists more than 90 major incidents of hacking, which have become much more prevalent during the past two years. Here are the 10 largest healthcare hacking incidents to date. Texas Health Resources takes the analytical route even further, devising risk profiles of users in its 25-hospital system based on their access to areas of the network, especially highly sensitive lodes of information, and how much of a target they would be for, say, phishing attempts, says Mehring. He calls it a zonal approach within the network as compared with a layered approach, intended to shut down breaches before they can spread.

“Quickness is key,” Mehring declares. “What we’ve found is that when that phishing email comes in, those first two hours that it’s in your environment are the most critical.” THR uses a cloud-based product that does a better job than in the past at detecting an attack and purging the invading agent, he says.

Vast improvements in the speed, computing ability and connectedness of healthcare information technology greatly complicate the business of keeping IT systems safe from intrusion. “Not only do hackers’ methods change, but the systems that we’re trying to protect evolve as well,” says Reis. “The systems get more complicated, and the hackers get more sophisticated, and to be effective we have to be able to keep up with both at the same rate.”

The fast movement of huge amounts of data make near-real-time intrusion detection critically important, says Kim of HIMSS, because attackers that get in can move quickly and access quantities of data in no time. A reactive strategy of spotting known malware in action will miss the mark, she emphasizes, because reaction hours or days later is often too late.

Information- Management: http://bit.ly/1ntZeMa

« Facebook’s Next New Data Center Is Coming To Ireland
90% of Data Breaches Are Avoidable »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cigniti Technologies

Cigniti Technologies

Cigniti Technologies provides Independent Software Testing (IST) Services including software security testing.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Radar Cyber Security

Radar Cyber Security

Radar Cyber Security is the only European supplier of Managed Detection & Response who provides its services based on inhouse developed technology.

Cybersixgill

Cybersixgill

Cybersixgill was founded with a single mission: to protect organizations against malicious cyber attacks that come from the deep and dark web, before they materialize.

Charities Security Forum (CSF)

Charities Security Forum (CSF)

The Charities Security Forum is the premier membership group for information security people working for charities and not-for-profits in the UK.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

BlackRidge Technology

BlackRidge Technology

BlackRidge Technology develops, markets and supports a family of products that provide a next generation cyber security solution for protecting enterprise networks and cloud services.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Prevasio

Prevasio

Prevasio is a next-gen Cloud Security Posture Management (CSPM) with a built-in Vulnerability and Anti-Malware Scan for Containers.

SafetyDetectives

SafetyDetectives

SafetyDetectives mission is to give our readers accurate and valuable information so they can make informed decisions about staying safe, secure and protected on the internet.

Hubify

Hubify

Hubify is an experienced, service-driven technology company specialising in business connectivity across mobile, data, voice, cloud, & cyber security solutions.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

SEK Security Ecosystem Knowledge

SEK Security Ecosystem Knowledge

SEK helps companies in the complex path of cybersecurity; in the analysis, detection and prevention of digital threats.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.