What Healthcare CISOs Should Know

Uploaded on 2017-05-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare

It used to be that retail and financial services were the most popular targets for breaches and malicious attacks, but the healthcare industry is now right up there with them.

The reason for that change is simple: protected health information (PHI) is more lucrative on the dark web than other forms of personally identifiable information.

Also, healthcare organisations keep other useful data: access credentials, personally identifiable information, and financial records.

“The value of a single medical record on the web’s black market can be as high as $500,” Essaid points out.

Yet, most people are unaware of the fact that medical data theft can be far more damaging than credit card or social security number compromise.

For one thing, the stolen medical records can be used for a variety of criminal activities: more personal data theft, payment card fraud, healthcare insurance fraud, acquisition of controlled and prescription substances, and so on. Secondly, the victims will likely have problems because of it for the rest of their lives.

Still, we’re all forced to trust healthcare organisations to keep out medical data secure. Unfortunately, many of them are struggling to sufficiently secure their systems due to limited resources, budget and timelines.

Advice healthcare CISOs should heed

“The healthcare sector is under pressure to comply with a range of regulations such as US healthcare-specific HIPAA, more general data protection rules such as the looming GDPR (General Data Protection Regulation) in Europe and, for those that take online payments, the PCI-DSS (Payment Card Industry Data Security Standard),” says Essaid.

A CISO moving from another industry needs to understand this landscape. Also, he or she must recognise that integrating security into a healthcare organisation’s Software Development Life Cycle is a difficult thing to do well.

“The CISO should first review the HITRUST CSF (Common Security Framework),” he advises to healthcare CISOs.

“Secondly, many healthcare organisations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. The US Government uses this as the core of its security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.”

Start with the basics, and don’t forget the APIs

In general, though, healthcare institutions need to start with the basics:

•    Training, education and awareness for employees around social engineering and insider threats

•    Developing a better understanding of the motivations of cyber criminals and what key assets they are looking for, and then implementing protection controls accordingly.

Then comes the establishing of the necessary security audits, processes, procedures and compliance.

Essaid believes that adopting the Open Web Application Security Project (OWASP) secure development guidelines is a good idea, more so because seven of the twenty OWASP Automated Threats (OATs) are cited as primary threats to the healthcare industry.

Another important thing is not to overlook access control to website content and APIs, as many security practices that historically have been delivered in the user interface are now moving to API back-ends.

“In addition to the business benefits of faster delivery and ease of integrations aside, there are some security benefits of using APIs, too. Condensing the logic into the API helps address common UI related security issues,” he explains.

But cyber-criminals use bad bots (what OWASP calls Automated Threats) to attack login screens, steal patient records and perform account fraud. And aggregators and upstarts use web scraping bots to steal unique content or provide insurance policy quotes.

“Inaccurate pricing leads to customer frustration, and aggressive scraping can even cause slowdowns and downtime,” he points out. “But while APIs widen an organisation’s attack surface, but many of the same secure development best practices can also be implemented to protect them.”

HelpNetSecurity:

You Might Also Read:

Healthcare Starts Spending Big On Cybersecurity:

Increasing Healthcare Cybersecurity Risks:

Stolen Health Records Flooding Dark Web Markets:

 

 

« Three Cybersecurity Trends Business Should Address
What Happens If Criminals & Terrorists Get To Use AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Asavie

Asavie

Asavie provide solutions for Enterprise Mobility Management and secure IoT Connectivity.

Egress Software Technologies

Egress Software Technologies

Egress Software Technologies is a leading provider of data security services designed to protect shared information throughout its lifecycle.

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

Reblaze Technologies

Reblaze Technologies

Reblaze provides the world’s best security technologies in a cloud-based website security platform.

Australian Cyber Security Centre (ACSC)

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together into a single location.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

BeDefended

BeDefended

BeDefended is an Italian company operating in IT Security and specialized in Cloud and Application Security with years of experience in penetration testing, consulting, training, and research.

Blockchain R&D Hub

Blockchain R&D Hub

Blockchain R&D Hub's mission is to serve the needs of blockchain ecosystem as the center of excellence for technology research and development.

CYBER.ORG

CYBER.ORG

CYBER.ORG's goal is to empower educators as they prepare the next generation to succeed in the cyber workforce of tomorrow.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

North Green Security

North Green Security

North Green Security is a UK-based cyber security training and consultancy company.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

Neya Systems

Neya Systems

Neya Systems, a leader in advanced off-road autonomy and high-level multi-robot mission planning, provides innovative solutions for uncrewed ground, aerial, and surface vehicles.

CyXcel

CyXcel

CyXcel is a cyber security consulting business grounded in the law which natively fuses crises, legal, technical, and consulting expertise digital networks, information and operational technology.

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.