The following is a guest article by Monique Becenti, Security Strategist, Pondurance.
Healthcare organizations continue to represent a prime target for hackers – if not the leading one: The average cost of a breach for the industry now stands at $7.13 million (the highest of any sector), compared to less than $4 million for organizations overall.
What’s more, it takes 329 days for hospitals and other healthcare organizations to identify and contain a breach (i.e., the lifecycle of an incident), or seven weeks longer than the average lifecycle for companies in general. Again, healthcare leads all sectors in this category.
Given the circumstances, the industry’s chief information security officers (CISOs) and their teams are firmly focused on implementing new tools and practices to better protect their digital assets. But – with a wave of global regulations now in place, with more likely to come – they cannot solely frame their resources and objectives upon cybersecurity as a standalone effort, as data privacy has emerged as a critical priority as well.
Specifically, the European Union’s General Data Protection Regulation (GDPR) triggered the wave by requiring businesses to design personal data protection into the development of their products and services. In addition, they must document how and where data is stored, how it is processed, and most importantly, give consumers control over how organizations can use their data.
In the U.S., at least a half-dozen states have followed up with similar regulations: To comply with the recently passed California Privacy Rights Act (CPRA), for example, businesses must minimize their usage, retention, and sharing of personal information to what is reasonably needed to conduct their stated intent (i.e., the GDPR’s “data minimization” principle). Organizations will also have to deploy security measures that assure the confidentiality, integrity, and accessibility of personal data. If they fail to do so and a subsequent attack exposes personal information, affected consumers will be able to sue the breached companies.
If all of this sounds like a lot to take on, that’s because it is. Fortunately, cybersecurity and privacy compliance are not mutually exclusive disciplines, as steps are taken to best protect digital assets and devices serve as a solid foundation for an effective data privacy strategy: Security is about the prevention of unauthorized individuals from accessing data, whether it is intellectual property or the personally identifiable information (PII) of patients and employees. Privacy is about properly managing, collecting, sharing, and – if necessary – deleting customer/patient data.
Privacy compliance is a natural extension of proven security practices – both depend upon the proper execution of data protection and management. To illustrate this, let’s present the following essential components for the two, starting where CISOs need to begin – cybersecurity:
Cybersecurity Essential Components
Encryption. Healthcare CISOs must use algorithms to scramble or code sensitive information, so it is readable only with a decryption key. With this, they’ll prevent adversaries from reading the information if they intercept it during an attack.
Access control. This is all about accurately answering the “Are you who you say you are – and do you belong here?” question. If unauthorized parties gain access to, say, the domain controller, then they can compromise critical accounts, user data, and proprietary/sensitive information.
Human intelligence. Ongoing innovations such as automation and artificial intelligence (AI) are profoundly expanding the capabilities of security teams – but they cannot replace them. We will always need the human intuition of analysts, threat hunters, and incident responders to successfully fortify networks, systems, applications, and devices.
Managed Detection and Response (MDR). CISOs have to establish deep visibility into all network, log, and endpoint activity, with 24/7/365 detection and response. But they may not have the personnel or budget to do so. That’s when they should consider bringing on an MDR partner, to outsource many (if not all) of these responsibilities to proven experts in threat hunting, prevention, and mitigation.
Data Privacy Essential Components
Discovery and classification. With discovery, CISOs and their teams scan their digital ecosystem to identify where both structured and unstructured data exists. With classification, they categorize and prioritize all of their data according to privacy risk levels and considerations. Again, this demonstrates that privacy and security are not mutually exclusive. For years, security teams lived by the mantra, “You cannot defend what you cannot see.” The concept extends to discovery and classification for privacy.
Minimization. As GDPR and the other regulations require, organizations must limit the amount of personal data collected and maintained – they should not hold on to every bit of it that they encounter. Optimal minimization will lead to a smaller digital footprint, thus reducing risk.
Consent. Users such as patients want to know what a hospital plans to do with their data. To address this, regulations are directing organizations to gain consent from these individuals before any intended usage of their information.
Deletion. As part of a comprehensive privacy policy, teams must be capable of deleting data at a user’s request.
These steps ultimately lead to a quality that all healthcare organizations should aspire to today: transparency.
After all, people are concerned about how their data is collected, managed, and protected. Keeping them in the dark may produce short-term gains, but will likely result in eventual regulatory violations/fines and reputational damage. By demonstrating their commitment to the highest of digital defense and data privacy oversight/disclosure standards, CISOs can greatly distinguish their organization’s value from the rest of the pack. That’s not just good for security and privacy – it’s good for business.
