Today’s hidden cybersecurity risks – and how health leaders can avoid them
Healthcare cyber warfare is on the rise.
Insurers, health systems, pharmaceutical companies, biotech and engineering firms each face their own unique security challenges, yet they all share one thing in common – digital security breaches are extremely costly in terms of both dollars and reputation.
Patient records, healthcare data and intellectual property are all valuable targets. The frequency of IP theft in the healthcare industry proves that this sensitive data is vulnerable even when executives think it secure. The vulnerability of healthcare IP arises from two sources: defects in the static infrastructure designed to protect confidential data at rest and in transit, and – less obvious – the inadequate protection of the metadata surrounding data transmissions. While logic might indicate that a static, fixed target is a suboptimal defense posture, metadata is often overlooked as a vulnerability.
Take drug development, for example. Pharmaceutical companies often disclose major announcements, such as the outcome of a clinical trial, by first contacting a series of necessary parties in a timed order based upon a pre-agreed document the company holds. The timing of these interactions and the identities of the parties involved become valuable to hackers and prying eyes, as it allows them to understand relationships, forecast next steps and map out company strategies – all accessible as metadata, even in encrypted communications.
The innate value of metadata means that healthcare organizations are increasingly being targeted by sophisticated and highly organized cybercriminals, state actors and competitors. These attacks come with significant costs. Studies have shown that the average cost to an organization for a single breach is roughly $3.8 million. Worse still, many breaches are not even discovered until well after the attack occurs.
The reality is companies cannot expect to compete globally if they are constantly engaged in damage control due to breaches. If you are a health leader, there are a few problem areas you need to know about:
- Ransomware is when an attacker encrypts a computer and then extorts the owner for money in order to regain access to their data. When these attacks occur, they can impact more than just data; in a recent ransomware incident at Hollywood Presbyterian Medical Center in Los Angeles, hackers locked out patient records while demanding $3.6 million. The hospital eventually paid $17,000 to regain access, but in the meantime had to divert some emergency patients to other health facilities.
- Employee communications make you vulnerable. Consider the following scenarios: An employee goes home and does work or conducts research from an unencrypted computer. A USB or other unauthorized form of tech is used to store data, or an unencrypted computer is stolen or disposed of improperly. As long as company-wide safeguards are not in place, hackers and bad actors have countless entry points to your organization’s data via your employees’ online activities. The devices you and your employees use need to be defended from stalking, profiling and attack.
- A patchwork approach to privacy doesn’t work. Most companies rely solely on the privacy protections controlled by app and online providers – and as everyone knows, they just do not do the job. In fact, many applications are designed to exploit private information, not protect it. The best alternatives for privacy protection that even the most competent IT departments have are static – comprising slow VPN reseller connections, firewalls, and encryption products.
- A fixed infrastructure is a fixed target. Surveillance and hacking requires time to identify a target and compromise its security – and a fixed security infrastructure provides hackers and bad actors with the time they need to attack.
- Signature-based defenses are inherently vulnerable. As the name implies, a signature-based defense protects against known attacks and attack vectors. But there are always unknowns. Hackers are constantly developing “zero-day” attacks, which, because they’ve never been seen before, can often persist undetected for extensive amounts of time, collecting sensitive data all the while.
While industries like finance and retail have taken steps toward beefing up security, the healthcare industry still has a long way to go; in 2014, the FBI even issued an official warning to the sector noting its vulnerability. The good news is that there are steps health leaders can take today to protect their organizations:
- Educate your workforce. Help your employees understand the potential impact of their online activities – and correct any misconceptions. Anti-virus software is only as useful as long as employees are diligent. Adopt proactive protection for your team, devices and information that is simple to use and easy to grasp, like virtual machines, regular backups and common sense when it comes to browsing and downloads.
- Look for emerging vendors. Yesterday’s large security vendors aren’t necessarily one-stop shops for security. They don’t offer adequate protection against sophisticated attacks that are constantly evolving and changing face.
- Communicate through multiple channels. Using the same systems for all communications creates opportunities for metadata analysis and interception. Email, chat, messaging, phone and cell calls all provide some diversity and disruption to a third party’s observations.
- Leverage ephemeral infrastructure. With advances in cloud computing capacity, ephemeral infrastructure can hide a company’s network from attackers and provide secure, anonymous communications. Keeping metadata and data private puts hackers at a disadvantage. The air-gapped computing capability offered by ephemeral infrastructure also means they can provide ransomware protection.
Whichever way you evaluate it, data privacy is a major vulnerability for today’s healthcare organizations. And as the worth of health-related data continues to out-value most data types on the black market, this shows no signs of slowing down. Securing any healthcare organization – whether it be an insurance carrier, a bio-tech firm or a multi-facility health system – takes measured planning, technical expertise and an understanding of the business and the value of its data/IP. With the right safeguards in place, companies can protect themselves from cyberattacks and even find themselves ahead of the security arms race.