Health care entities often operate several steps behind criminal hackers and other data thieves. For a number of years now, the not-so-subtle (but often neglected) warning signs of this disparity have been on full display. Now, health and medical organizations - which include hospitals, doctor's offices, urgent-care facilities, nursing homes, pharmacies, health insurance companies and others - are more pressured than ever to ensure their networks, systems and applications are protected from the inevitable threat lurking in the shadows.
But before they can remedy their shortfalls, they must prioritize the biggest things that need fixing. Here are seven common blunders harming the health care sector:
Not accounting for the changing threat landscape: While the health care industry deals with a number of unique challenges, the troubles it faces are not uncommon from those in other sectors. Threats are advancing, security skills are at a premium, budgets are tight, legacy systems are going unpatched and the attack surface is expanding. Yet studies show that health care organizations are doing a substandard job of ensuring their breach prevention, detection and response measures are effective.
Slowly adopting advanced technologies and services: One big difference between health care and other industries that swim in sensitive data, such as finance, is that organizations in health care haven't invested as much as they should in advanced security solutions - such as anti-malware gateways to detect and block threats in real time and threat management to identify and assess attacks and other suspicious network behavior. In addition, health and medical firms, much like members of other industries, have been agonizingly slow to detect incidents, limiting their ability to perform damage control and effectively communicate with affected customers.
Inadequately protecting confidential records: Entities such as hospitals, doctor's offices and urgent-care clinics are custodians of a wide swath of sensitive information. As the black market for financial data, such as credit card numbers, has become commoditized over the years, medical data is growing more valuable. Cybercriminals recognize the value of patient data, such as stolen health insurance numbers, to acquire medications and services. A 2014 medical identity theft study found that an estimated 2.32 million Americans have fallen victim to such a crime, with an average cost of $13,500 to resolve it. Organizations must implement a layered, flexible and proactive defense strategy.
Failing to consider the risks of mobile and cloud: Never before has medical data been so conveniently accessible by doctors, nurses and patients through devices such as smartphones, tablets, portals and health exchanges. This dissolving perimeter results in efficiency wins and improved patient and health care delivery, yet these endpoints often lack basic security, such as access control, vulnerability management and encryption, making them prone to malfeasance and data loss. And it further opens the door for deliberate or accidental insider threats, such as patient snooping or the careless handling of information. (In a similar vein, as researchers have revealed, wearable and implantable medical devices are at risk to hacking too).
Failing to assess the security of business partners: We've read a lot in recent months about the dangers posed by the partners and contractors with whom companies have business relationships. For instance, an exploitable vulnerability or malware infection at a third-party vendor (or a newly acquired company, amid a growing spike of hospital mergers) can serve as the entryway for adversaries to reach their ultimate target. Health care is no different. Business associates - those third-party contractors that serve health care organizations - are responsible for a majority of health and medical breaches. Fortunately, the federal law that governs the protection of health information, known as the Health Insurance Portability and Accountability Act (HIPAA), covers these entities.
Not fully leveraging managed security services effectively: Security and compliance are not core competencies for health care professionals who are rightly focused on delivering quality care to their patients. Often times they rely on smaller, local IT companies and consultants to provide a patchwork of disjointed services that are not up to the task of dealing with today's cybercriminals. Instead, turning to a mature managed security services provider (MSSP) with a global reach can provide a comprehensive set of threat, vulnerability and compliance management services under one roof - and create economies of scale in both direct costs, as well as administrative costs, with the end result being a greatly improved security outcome.
Operating under a 'checkbox mentality': The aforementioned HIPAA regulation carries more teeth than it ever has - with violators being steadily fined following breaches - and a new round of audits is imminent, albeit delayed. But like any compliance mandate, HIPAA should be viewed as the floor, not the ceiling, of good security. Organizations that go above and beyond compliance typically are the ones least likely to fall victim to a major compromise.
For more insight and quick-hit advice on improving one's security risk profile, check out our 2014 State of Risk Report.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.