Data still vulnerable for healthcare organizations, other entities

Bad actors continue to experience success in gaining unauthorized access to protected health data and other types of business information.

In its most recent annual report on data breaches, spanning 86 nations, Verizon acknowledges that, “Seemingly, no matter what defensive measures security professionals put in place, attackers are able to circumvent them,” the company says. “No organization is too large or two small to fall victim. No industry is immune.”

Regardless of the type or amount of your organization’s data, there is someone out there trying to steal it. Having a sound understanding of the threats you and your peers face, how they have evolved over time and which tactics are most likely to be utilized can prepare you to manage these risks more effectively and efficiently.”

Healthcare stands out among the industries as the majority of its breaches result from internal actors—the employees. Denial of service attacks are infrequent in healthcare; the real threat is information availability being imperiled because of ransomware attacks.

HDM-053119-breach.png

Of 466 healthcare data security incidents, 304 had confirmed data disclosure. Miscellaneous errors, priviledge misuse of data and web application are responsible for 81 percent of incidents in the healthcare industry. Verizon offers six best practices to prevent breaches:

Keep it clean: Many breaches are a result of poor security hygiene and a lack of attention to detail. Clean up human error where possible, then establish an asset and security baseline around Internet-facing assets like web servers and cloud services

Maintain integrity: Web application compromises now include code that can capture data entered into web forms. Consider adding file integrity monitoring on payment sites, in addition to patching operating systems and coding payment applications.

Re-double your efforts: Use two-factor authentication everywhere—on customer-facing applications, any remote access and cloud-based email. There are examples of two-factor vulnerabilities, but they don’t excuse lack of implementation.

Be wary of inside jobs: Track insider behavior by monitoring and logging access to sensitive data. Make it clear to staff just how good you are at recognizing fraudulent transactions.

Scrub packets: Distributed denial of service protection is an essential control. Guard against non-malicious interruptions with continuous monitoring and capacity planning for traffic spikes.

Stay social aware: Social attacks are effective ways to capture credentials. Monitor email for links and executables. Give your teams ways to report potential phishing or pretexting.

For reprint and licensing requests for this article, click here.