We take it for granted that doctors and medical professionals will have complete access to our health profiles and background, as without this they can’t make a critical diagnosis in a timely manner. However, the very nature of this access, and the vast amount of information held within the healthcare industry, makes it a prime and profitable target for criminals.
Knowing which security threats are out there, and what steps to take to proactively prevent security incidents is vital if personal healthcare information is to be kept safe.
We’ve re-examined the data within our Data Breach Investigations Report (DBIR) series (2016 and 2017) to focus in on the healthcare sector’s unique profile and security challenges, and particularly the use/abuse of protected health information (PHI). Our 2018 Protected Health Information Data Breach Report (PHIDBR) is underpinned by 1,368 incidents from this caseload covering 27 countries.
Our major findings are as follows:
- 58 percent of incidents involved insiders. Healthcare is the only industry in which internal actors are the biggest threat to an organization. Often they are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent).
- 70 percent of incidents involving malicious code within the healthcare sector were ransomware infections. Mirroring the ongoing use of ransomware across all business sectors, as we reported in our 2017 Data Breach Investigations Report and the cyber-attacks Europe witnessed mid-2017.
- 27 percent of incidents were related to PHI printed on paper. Medical device hacking may be in the news, but it seems the real criminal activity is found by following the paper trail. Whether prescription information sent from clinics to pharmacies, billing statements issued by mail, discharge papers physically handed to patients, or filed copies of ID and insurance cards, printed documents are more prevalent in the healthcare sector than any other. The very nature of how PHI paperwork is handled and transferred by medical staff has led to preventable weaknesses – sensitive data being misdelivered (20 percent), thrown away without shredding (15 percent), and even lost (8 percent).
- 21 percent of incidents involved lost and stolen laptops containing unencrypted PHI.More employee education is required to ensure that basic security measures are put in place.
First step – get the basics right
There are several short-term improvements that can directly address some of the common security challenges flagged by these findings:
- Full Disk Encryption (FDE): This provides an effective and relatively low-cost method of keeping sensitive data out of the hands of criminals.
- Routine monitoring of record access: Policies and procedures should be in place to mandate monitoring of internal PHI access. All employees should be aware, via security training and warning banners, that if they view any patient data without a legitimate business need there is potential for corrective actions.
- Build resiliency to combat ransomware attacks: Preventive controls for defending against malware installation are key, as is minimizing the impact that ransomware could have against a network. Do not allow end-user devices to propagate and spread ransomware to critical assets, and do not use devices with high availability requirements to surf the Internet or receive external email.
Implementing security measures for the long-term
More important, though, is the need to secure the use of PHI within the healthcare sector for future stability and success in the digital world. This means that longer-term strategic actions are also required.
One area to look at is electronic PHI (ePHI). Breaches involving ePHI included the publishing of sensitive data on public websites (7 percent) and misdelivery (7 percent) via email – still alarming, but much less so than those breaches associated with old-fashioned paper documents. So, organizations should work towards a reduction of paper-based PHI in their environments, and establish a holistic risk management program that protects not only ePHI, but also other sensitive data that they store and process.
We also need to recognize that overly strict restrictions in access to patient information has the potential to impact a healthcare professional’s ability to make timely and proper point-of-care decisions – but there are still improvements that can be made.
For example, a comprehensive review and ongoing audits of access rights to sensitive data would ensure ease of access to front-line medical providers, yet reduce unnecessary access elsewhere.
As the use of the Internet of Things (IoT) becomes more commonplace across the sector, establishing a proactive policy of building security into any and all implementations is vital in addressing what could be an increasing threat in the future.
Focusing on resiliency and availability in IoT implementations, as well as integrity and confidentiality, is also important.
Finally, having an overall incident response plan ready to go should a cyberattack occur will also enable quicker reactions, and can often make a difference to the level of impact an incident has on an organization. Testing those plans using table top exercises to discover gaps is critical before an incident occurs, as well as holding post mortem reviews after the fact to capture lessons learned.