What Healthcare CISOs Should Know

Uploaded on 2017-05-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare

It used to be that retail and financial services were the most popular targets for breaches and malicious attacks, but the healthcare industry is now right up there with them.

The reason for that change is simple: protected health information (PHI) is more lucrative on the dark web than other forms of personally identifiable information.

Also, healthcare organisations keep other useful data: access credentials, personally identifiable information, and financial records.

“The value of a single medical record on the web’s black market can be as high as $500,” Essaid points out.

Yet, most people are unaware of the fact that medical data theft can be far more damaging than credit card or social security number compromise.

For one thing, the stolen medical records can be used for a variety of criminal activities: more personal data theft, payment card fraud, healthcare insurance fraud, acquisition of controlled and prescription substances, and so on. Secondly, the victims will likely have problems because of it for the rest of their lives.

Still, we’re all forced to trust healthcare organisations to keep out medical data secure. Unfortunately, many of them are struggling to sufficiently secure their systems due to limited resources, budget and timelines.

Advice healthcare CISOs should heed

“The healthcare sector is under pressure to comply with a range of regulations such as US healthcare-specific HIPAA, more general data protection rules such as the looming GDPR (General Data Protection Regulation) in Europe and, for those that take online payments, the PCI-DSS (Payment Card Industry Data Security Standard),” says Essaid.

A CISO moving from another industry needs to understand this landscape. Also, he or she must recognise that integrating security into a healthcare organisation’s Software Development Life Cycle is a difficult thing to do well.

“The CISO should first review the HITRUST CSF (Common Security Framework),” he advises to healthcare CISOs.

“Secondly, many healthcare organisations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. The US Government uses this as the core of its security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.”

Start with the basics, and don’t forget the APIs

In general, though, healthcare institutions need to start with the basics:

•    Training, education and awareness for employees around social engineering and insider threats

•    Developing a better understanding of the motivations of cyber criminals and what key assets they are looking for, and then implementing protection controls accordingly.

Then comes the establishing of the necessary security audits, processes, procedures and compliance.

Essaid believes that adopting the Open Web Application Security Project (OWASP) secure development guidelines is a good idea, more so because seven of the twenty OWASP Automated Threats (OATs) are cited as primary threats to the healthcare industry.

Another important thing is not to overlook access control to website content and APIs, as many security practices that historically have been delivered in the user interface are now moving to API back-ends.

“In addition to the business benefits of faster delivery and ease of integrations aside, there are some security benefits of using APIs, too. Condensing the logic into the API helps address common UI related security issues,” he explains.

But cyber-criminals use bad bots (what OWASP calls Automated Threats) to attack login screens, steal patient records and perform account fraud. And aggregators and upstarts use web scraping bots to steal unique content or provide insurance policy quotes.

“Inaccurate pricing leads to customer frustration, and aggressive scraping can even cause slowdowns and downtime,” he points out. “But while APIs widen an organisation’s attack surface, but many of the same secure development best practices can also be implemented to protect them.”

HelpNetSecurity:

You Might Also Read:

Healthcare Starts Spending Big On Cybersecurity:

Increasing Healthcare Cybersecurity Risks:

Stolen Health Records Flooding Dark Web Markets:

 

 

« Three Cybersecurity Trends Business Should Address
What Happens If Criminals & Terrorists Get To Use AI »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Redcentric

Redcentric

Redcentric is a leading UK IT managed services provider. We deliver managed IT, cloud computing, data backup, information security services and managed networks.

Reblaze Technologies

Reblaze Technologies

Reblaze provides the world’s best security technologies in a cloud-based website security platform.

Silicom Denmark

Silicom Denmark

Silicom Denmark is a premier developer and supplier of FPGA-based interface cards for cyber-security, telecommss, financial trading and other sectors.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

TES

TES

TES is a provider of IT Lifecycle Services, offering bespoke solutions that help customers manage the commissioning, deployment and retirement of Information Technology assets.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Onclave Networks

Onclave Networks

Onclave Networks is a global cybersecurity leader, transforming the future of securing all IT/OT devices and systems.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

BIG Cyber

BIG Cyber

BIG Cyber is a specialized Managed Security Service Provider (MSSP) dedicated to bringing military grade cyber security technology to the gaming industry.

SolidRun

SolidRun

SolidRun is a leading provider of computing and network technology designed to streamline the deployment of edge computing infrastructure and support embedded and IoT markets.

Bit Sentinel

Bit Sentinel

Bit Sentinel is an information security company. We help companies like yours discover, prioritize, and effectively remediate potential cybersecurity risks.

Cyber & Data Protection

Cyber & Data Protection

Cyber & Data Protection Limited supports Charities, Educational Trusts and Private Schools, Hospitality and Legal organisations by keeping their data secure and usable.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.

UFS Technology

UFS Technology

UFS, the bank technology outfitter for community banks, provides purpose-built, bank-exclusive technology services and solutions including cybersecurity.

SoteriaSec

SoteriaSec

SoteriaSec is a premier cybersecurity firm providing comprehensive digital forensics and incident response services.