4 keys to better defend healthcare data against ransomware
Healthcare IT is moving to the cloud; unfortunately, so are opportunistic hackers.
In fact, healthcare cybercrime has become so common that its costs exceed the global healthcare cloud computing market's value. In the past five years, cyberattacks against hospitals have more than doubled, costing the U.S. health system $6 billion annually. Industry researcher MarketsandMarkets valued the world's healthcare cloud computing sector at $3.73 billion in 2015, which it expects to approach $9.5 billion by 2020.
But costs are hardly the only concern. Cloud attacks like the WannaCry ransomware that infiltrated U.K. hospitals this May put patients' lives at risk. Once inside a system, viruses wreak havoc, blocking patient records and infecting other connected devices.
Records databases are common targets for cyberattacks (and ransomware, in particular), but cybercriminals are looking elsewhere, too. Many of the medical devices patients depend on to stay alive are dangerously insecure.
With cyberattacks threatening lives and poaching profits, healthcare providers have an obligation to cut cybersecurity risks. Until they do, breaches will continue to grow in frequency and severity.
Healthcare hacks will continue because they're extraordinarily profitable for cybercriminals. As of this writing, WannaCry's creators have extorted more than $140,000 in Bitcoin from victims. So how do these hackers get in, and what can healthcare IT providers do to defend themselves?
According to the May 2017 Verizon Data Breach Investigations report, three factors are responsible for 80 percent of healthcare security breaches: privilege misuse, miscellaneous errors, and physical theft or loss.
Privilege misuse means sabotage from within. When employees abuse their positions for illicit profit, security measures often fail to stop them. The same is true for miscellaneous errors, which are similar acts performed unintentionally. Opening infected email attachments, plugging in mystery USB drives and giving away information over the phone can all give hackers unintentional access.
Other security failures stem from physical loss or theft. A misplaced USB drive or stolen laptop can be catastrophic. And with so much healthcare information still stored on paper, improper document disposal is another common cause.
There is one factor, however, not addressed by Verizon's report: false or otherwise improper assurance reporting. Organizations tend to toss around "HIPAA-compliant," which carries little weight without market-driven standards for assessing compliance. The Department of Health and Human Services' Office of Civil Rights does its best to enforce HIPAA requirements, but a lack of resources means it often fails to keep facilities compliant between audits.
Much-needed common compliance standards may be coming. In recent years, the HITRUST framework has made headway in the market. Still, to protect themselves from hacks, healthcare companies must take initiative. By streamlining assurance and reporting not only for compliance, but also for attack readiness, healthcare IT professionals can fight future infiltrations.
As the Internet of Things grows, healthcare data risks will only become more serious. Industry leaders can take the following four steps to keep their systems secure.
Back up data
Data backup has been a best practice for years, yet ransomware continues to delete siloed data. Even in the cloud, data should be backed up. Set up a structure to double-save data, and test the integrity and recoverability of the backups. The best solution is to move to an immutable infrastructure that can restore the entire environment to its prebreach state.
Don't forget to create retention policies and encrypt backups, too. Although some argue that encryption slows system performance, modern technology makes speed differences negligible. If encryption creates slowdown, factors such as outdated hardware could be to blame.
To be clear, backing up data will not prevent a breach, but it could lessen the fallout. Victims have little reason to pay a ransom to save data when that information is backed up elsewhere. Cyber insurance programs, such as those available through HITRUST and its partners, can also cut breach costs.
Eliminate email phishing
Too often, organizations bank on phishing identification exercises and awareness programs to address hacks. Although awareness is important, phishing analytics services aren't a sensible use of resources. Quantified or not, phishing attempts will continue.
Instead, re-evaluate internal communications. One solution is to eliminate email entirely and rely on other channels, such as Slack. For a less drastic approach, implement safeguards to block internal emails that do not originate from internal IP addresses. This will prevent hackers from spoofing emails from executives on internal email addresses.
Also consider adopting data loss prevention tools like Proofpoint Email Protection to flag suspicious emails and reduce the role user judgment plays in the equation. For a preparedness check, take advantage of CyberRX’s free evaluation procedures.
Patch systems frequently
Many system updates aren't cosmetic changes; they're essential security fixes. Fully half of all system vulnerabilities stem from failing to apply security patches. Organizations that neglect this responsibility can even be prosecuted for it: A couple of years ago, Anchorage Community Mental Health Services paid a $150,000 HIPAA settlement after outdated software was breached.
Start by checking software for available updates today. Implement a policy that makes future patch installation mandatory. The longer patches remain uninstalled, the more likely a breach becomes. For firms with 75 or fewer employees, CyberAID offers a low-cost solution to bolster security beyond standard system defenses.
Tokenize patient records
Finally, to address all three of the risks in Verizon's report, tokenize patient records. Health records are worthless to hackers who cannot tie them to actual patients. Review the HITRUST De-Identification Framework for more information on how to thwart attempts to gain patient data.
As cloud storage becomes more prevalent and the healthcare industry embraces the IoT, security risks will pose dangers to new devices, records, and lives. Don't wait until after an attack to think about data security—act now to fortify system defenses and protect cloud-connected access points.