Cyber security is critical to healthcare because healthcare, by definition, revolves around information collected from patients. In paper form, patient health information (PHI) can be cumbersome to store and difficult to access. In response, many healthcare organizations have adopted electronic medical record (EMR) solutions. EMRs have added the benefit of simplifying storage and dramatically increasing ease of access. Unfortunately, the shift to EMRs has also increased the risk that unauthorized parties also have easier access to patient health information.
As we’ve seen in recent years, unauthorized actors have utilized vulnerabilities within your network or organization to gain access to PHI. Given both the increasing value of stolen PHI and the established vulnerability of many healthcare organizations, this is a trend we expect to continue and even grow in the foreseeable future.
In part one of our two-part series, Ryan McDaniel, HCIs VP of Security and Technology, will discuss the way in which cyber security has traditionally been managed, and in part two he will go into newer and better ways to address the most critical overlooked risk impacting healthcare and data security today.
1) Examples of Internal and External Threat
Nearly all healthcare organizations are aware of the growth in what is commonly known as hacking, or ill-gotten or unintended access by an unauthorized individual to your network. In general, hacking events have allowed malicious actors to access patient health information (PHI) data and patient records. Because many malicious actors are motivated by the high value of PHI, once they have access to patient data they begin to exfiltrate and sell your patient’s critical information.
These attacks are accomplished through a range of means which commonly include, phishing, brute force attacks, social engineering, stolen media, and an ever-increasing list of both novel approaches and derivations of existing strategies. Phishing attacks most commonly involve sending emails or messages, which may appear benign to the recipient, that contain malicious links or obfuscated active elements which, upon interaction, allow access to an internal network.
In contrast, social engineering attacks involve a malicious actor working outside of your IT environment to gain critical information into or insight around how and where critical data may be accessed. Often the malicious actor in this type of attack will use relationships with someone on the inside to get access to their account or their access privileges. Phishing attacks, which are executed within IT infrastructure, may be easier to identify but incredibly difficult to prevent. In contrast, social engineering is both difficult to identify and prevent.
At a high level, the two types of attacks are indicative of the difficultly healthcare organizations face in securing their data. Data must be protected both internally, externally, through IT, and through employees to ensure its security.
2) Flaws of Traditional Prevention Methods
With insider and outsider threats so prevalent, it is vital to be aware of not only what should be done but also what can be done to secure critical data. Fortunately, there are a great deal of preventative measures to monitor, identify, and report common sources to threat.
Most healthcare organizations have done a good job to reduce external threat through various solutions, such as Firewalls, blacklists, encryption, and antivirus software. These solutions all work to reduce the potential that any unapproved party or program can gain meaningful access to critical information. Adopting and deploying these technologies help to create a “walled garden” – an accumulation of solutions which reduce external access to internal assets, including PHI.
While the walled garden is helpful in preventing threat from getting in to your system, it is not without its flaws. Healthcare deals with information exchange driven by interaction, which means that assets and data will be coming and going throughout the perimeter every day. This includes physicians, scripted accounts, contracted third-parties, employees, and, most importantly, patients. Due to the transactional nature of healthcare, it is unreasonable to believe that creating a walled garden will be sufficient to eliminate risk and secure critical data. Stopping outsiders from getting inside is and will remain a critical part of securing data; however, to truly secure critical data we must also understand and reduce the risk from those already within your walled garden.
In the past, lacking technology to effectively capture insider threat, healthcare organizations had to rely on developing policy, or hiring teams of individuals to track your internal assets and identify user behavior for risk. Recent innovations in machine learning, analytics, and technology, however, have finally provided an effective approach to identifying and reducing the risks associated with insider threat. What capabilities do these innovations offer and how can they reduce risk within your organization?
Make sure to subscribe to our blog, so you will be notified of when part two of our cyber security series comes out – in which Ryan goes into detail on how User Behavioral Analytics (UBA) is finally enabling healthcare organizations to monitor insider threat and reduce the risks associated with users.