How a layered data security strategy helps providers stay safer
The recent data breach at the Los Angeles County Department of Health Services demonstrates the risk that hired third-party vendors pose to healthcare organizations.
The phishing attack at the Los Angeles agency compromised the health information of 14,600 persons.
While many providers continue to leave themselves open to attack by not using appropriate security controls, the controls are comprised if appropriate policies are not in place, says Andrea Limbago, chief social scientist at Virtru, a data encryption vendor. “End-to-end encryption would have made the attack more difficult to pull off, and therefore may have deterred the attacker,” Limbago explains.
But because the attack occurred through phishing, it is impossible to say it could have been prevented. Overall, a greater focus on combining data encryption with access controls that evolve over time would have enabled revocation of the data, which could have minimized the amount of data that was compromised.”
Because providers generally have multiple partners with each other and vendors, they need to learn how to mitigate risks that accompany third-party data access.
Healthcare providers should not assume other parties will protect their data, so they should implement a strategy that provides greater control of the data even after it leaves their own network, Limbago notes.
“This includes protections that are bound to the data, such as encryption, while also ensuring the security program is usable across the workforce. Employees will find a means to circumvent a security safeguard if it limits their ability to do their job, so any security solution must work within business workflows.”
There are programs available to providers to increase employee awareness of phishing and other tools such as automated phishing detection software. Again, however, caution rules, she warns. “Many of today’s phishing attacks look extremely legitimate and fool even the most savvy information security professionals. A layered defense can protect data and alter an attacker’s risk calculus so they seek greener pastures elsewhere.”
The layered approach should include phishing detection, two-factor authentication, end-to-end encryption, patch management and password management, Limbago explains. “These protections stop the majority of attacks and force attackers to use more sophisticated means, which may be out of their technical reach.”