The following is a guest article by Terry Ray, SVP, Data Security GTM, and Field CTO at Imperva
Despite satisfying regulatory requirements, 93% of healthcare organizations have experienced a data breach within the past three years and 57% have been breached more than five times over that span. The alarming frequency and severity of these breaches leave many wondering why. The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known – though broadly misunderstood – data protection regulations, and it includes stiff penalties for noncompliance. With such stringent protections in place, why do healthcare data breaches continue to persist?
Why do Attackers Target Healthcare?
Personal data of any kind can be sold for a profit on the dark web, but health records represent a particularly lucrative target for attackers. While social security numbers are valued at around $1 each and credit card information can fetch anywhere from $5 to $100, medical records can easily be worth thousands to cyber criminals. What’s more, bank accounts can be closed and credit cards canceled, but medical records contain unalterable information that can be used to file fraudulent insurance claims, obtain prescriptions, and engage in other illicit behavior. Protecting that data is critical.
HIPAA plays a role in that protection, but there is a persistent misconception that compliance and security are synonymous. This is not the case. Although there is some overlap between the two, HIPAA is not designed for comprehensive data security. HIPAA mandates certain minimum requirements for healthcare providers when it comes to protecting sensitive patient data, which makes it a helpful starting point—not an ending point. Unfortunately, that nuance is often misunderstood. This has resulted in a false sense of security for some organizations, who believe that meeting HIPAA’s minimum standards means their data is sufficiently protected.
Why is Healthcare so Vulnerable?
A number of factors contribute to the complex data security risks faced by healthcare organizations, including the inherent trust in electronic health record (EHR) systems and continued reliance on legacy systems. Organizations often lack the necessary expertise to effectively secure EHR systems, while legacy systems are generally no longer supported by the original manufacturers—making vulnerabilities and security gaps difficult to remediate. A sprawling IT infrastructure, including internal and external sources, is also a challenge, with data spread across data centers, the cloud, file servers, storage, smartphones, laptop computers, and more.
Social engineering and ransomware are popular attack methods used by bad actors, and it’s important for healthcare organizations to have solutions in place to mitigate them. Moreover, software supply chain attacks, in which adversaries gain access through a compromised vendor or partner, are becoming more common. That being said, human error and insider threats can lead to breaches just as easily as external ones. Mishandled data, lack of access controls, and cloud misconfigurations can leave data dangerously exposed, and disgruntled or opportunistic employees with access to sensitive data can pose a significant problem.
How can Healthcare Organizations Build on HIPAA?
Addressing these challenges requires a comprehensive data security strategy that goes beyond HIPAA requirements. Organizations should implement a robust training program to teach employees how to recognize red flags and better understand the reasons for certain security procedures. Strict access controls should be implemented, as well to limit the data that employees have access to and ensure that insiders cannot access information or systems they don’t need. Monitoring user activity can also help by flagging anomalous behavior to security teams, such as an IT employee attempting to access human resources or financial data.
As third-party breaches increase, it is critical for healthcare organizations to carefully vet potential partners and vendors to understand whether they have the ability to protect the data they come into contact with. It is equally critical for organizations to ensure that their own systems have effective—and thoroughly tested—backup and recovery systems in the event of a ransomware attack or other incident. Perhaps most importantly, these protections and backup systems need to cover all data stores, not just those known to contain sensitive information. As systems become increasingly interconnected, healthcare organizations need to adopt a more holistic approach to security or they risk having attackers gain access to their data via poorly protected systems.
Don’t Just Check the HIPAA Box
Many of these steps align with the requirements outlined in HIPAA, but others use HIPAA as a starting point and build toward a more comprehensive approach to security. Organizations only interested in “checking the box” when it comes to compliance will soon find that the minimum requirements outlined in HIPAA are not enough in today’s complex and challenging threat landscape. Employee training, behavior monitoring, access controls, and other steps aren’t just a good idea—they are necessary and fundamental measures needed to help healthcare organizations face today’s increasingly advanced threats.
