What Healthcare CISOs Should Know

Uploaded on 2017-05-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare

It used to be that retail and financial services were the most popular targets for breaches and malicious attacks, but the healthcare industry is now right up there with them.

The reason for that change is simple: protected health information (PHI) is more lucrative on the dark web than other forms of personally identifiable information.

Also, healthcare organisations keep other useful data: access credentials, personally identifiable information, and financial records.

“The value of a single medical record on the web’s black market can be as high as $500,” Essaid points out.

Yet, most people are unaware of the fact that medical data theft can be far more damaging than credit card or social security number compromise.

For one thing, the stolen medical records can be used for a variety of criminal activities: more personal data theft, payment card fraud, healthcare insurance fraud, acquisition of controlled and prescription substances, and so on. Secondly, the victims will likely have problems because of it for the rest of their lives.

Still, we’re all forced to trust healthcare organisations to keep out medical data secure. Unfortunately, many of them are struggling to sufficiently secure their systems due to limited resources, budget and timelines.

Advice healthcare CISOs should heed

“The healthcare sector is under pressure to comply with a range of regulations such as US healthcare-specific HIPAA, more general data protection rules such as the looming GDPR (General Data Protection Regulation) in Europe and, for those that take online payments, the PCI-DSS (Payment Card Industry Data Security Standard),” says Essaid.

A CISO moving from another industry needs to understand this landscape. Also, he or she must recognise that integrating security into a healthcare organisation’s Software Development Life Cycle is a difficult thing to do well.

“The CISO should first review the HITRUST CSF (Common Security Framework),” he advises to healthcare CISOs.

“Secondly, many healthcare organisations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. The US Government uses this as the core of its security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.”

Start with the basics, and don’t forget the APIs

In general, though, healthcare institutions need to start with the basics:

•    Training, education and awareness for employees around social engineering and insider threats

•    Developing a better understanding of the motivations of cyber criminals and what key assets they are looking for, and then implementing protection controls accordingly.

Then comes the establishing of the necessary security audits, processes, procedures and compliance.

Essaid believes that adopting the Open Web Application Security Project (OWASP) secure development guidelines is a good idea, more so because seven of the twenty OWASP Automated Threats (OATs) are cited as primary threats to the healthcare industry.

Another important thing is not to overlook access control to website content and APIs, as many security practices that historically have been delivered in the user interface are now moving to API back-ends.

“In addition to the business benefits of faster delivery and ease of integrations aside, there are some security benefits of using APIs, too. Condensing the logic into the API helps address common UI related security issues,” he explains.

But cyber-criminals use bad bots (what OWASP calls Automated Threats) to attack login screens, steal patient records and perform account fraud. And aggregators and upstarts use web scraping bots to steal unique content or provide insurance policy quotes.

“Inaccurate pricing leads to customer frustration, and aggressive scraping can even cause slowdowns and downtime,” he points out. “But while APIs widen an organisation’s attack surface, but many of the same secure development best practices can also be implemented to protect them.”

HelpNetSecurity:

You Might Also Read:

Healthcare Starts Spending Big On Cybersecurity:

Increasing Healthcare Cybersecurity Risks:

Stolen Health Records Flooding Dark Web Markets:

 

 

« Three Cybersecurity Trends Business Should Address
What Happens If Criminals & Terrorists Get To Use AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Splunk

Splunk

Splunk provide real-time Security Information & Event Management solutions for Enterprise Networks, Cloud and small-scale IT environments

Blue Lights Digital

Blue Lights Digital

Blue Lights Digital have developed a range of platforms to support digital investigations, as well as providing continued support and education for investigations professionals.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

United Biometrics

United Biometrics

United Biometrics is an anonymous and real-time authentication platform designed to stop the fraud for mobile payments, e-Commerce and applications.

Taoglas

Taoglas

Taoglas Next Gen IoT Edge software provides a pay as you go platform for customers to connect, manage and maintain their edge devices in an efficient and secure way.

BicDroid

BicDroid

BicDroid is a world leader in data and cyber security with innovative solutions that protect your data anywhere, anytime, against everything.

DeepSeas

DeepSeas

DeepSeas is the result of a merger between Security On-Demand (SOD) and the commercial Managed Threat Services (MTS) business of Booz Allen Hamilton.

Servian

Servian

Servian is one of Australia's leading IT consultancies, with expertise in cloud, data, machine learning, DevOps and cybersecurity.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

AuthMind

AuthMind

Prevent your next identity-related cyberattack with the AuthMind Identity SecOps Platform. It works anywhere and deploys in minutes.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.

GAM Tech

GAM Tech

GAM Tech is a Managed IT Service Provider that serves small and medium sized businesses in Alberta, British Columbia, Ontario and Quebec.

RIIG Technology

RIIG Technology

Our mission is to empower organizations with high-quality, verifiable data and advanced intelligence solutions, ensuring robust security and effective risk management.