After high-profile data breaches at Anthem and Premera and a continual string of breaches at several smaller health care organizations, cybersecurity experts around the globe are dubbing 2015 the year of the health care data breach.
Why are all of these breaches happening? Simply put, the sensitive nature of personal health information makes this data a goldmine for attackers. Not only is the data itself appealing to obtain, but because of health care’s extensive partner network — made up of providers, administrators, insurance companies, billing partners and more — health care data is often vulnerable at many points throughout the business process. According to a report from the Shared Assessments Program and Protiviti, third-party risk programs in the health care industry lack maturity and put confidential patient data at risk.
Additionally, with more and more health care organizations taking advantage of the accessibility and scalability of the cloud, the lack of focus on third-party security only creates more risk. Case in point: In September 2015, insurance claim data and other highly sensitive patient information was inadvertently posted on Amazon Web Services after an error was made by claims administration software provider Systema Software. So, what steps can health care organizations take to ensure their partner networks are not putting them at risk? In this slideshow, Brian Ahern, CEO of Threat Stack, provides five tips health care organizations can use to improve their security posture and better protect sensitive patient information.
Protecting Sensitive Patient Information
Click through for five tips health care organizations can use to improve their security posture and better protect sensitive patient information, as identified by Brian Ahern, CEO of Threat Stack.
Inventory Third-Party Relationships
Perform a comprehensive inventory of all your existing third-party relationships.
No matter the size of your health care organization, third parties pose one of the greatest security threats to your data. In fact, according to the Ponemon Institute, 65 percent of organizations that reported sharing data with a partner also reported a subsequent breach through that partner. The simplest way to protect your health care data from third parties is by knowing who’s handling your data. Start by making a list of all the third parties that come into contact with your data (because if it’s not immediately clear who’s handling your data, how on earth can you protect it?). Your list should also include any external software engineers or IT consultants, and/or your data backup company. It should also include your data center, cloud hosting provider and/or phone provider. Make sure this list is continually kept up to date and made accessible to all authorized personnel in your organization.
Review Third-Party SLAs
Ensure third-party service-level agreements (SLAs) are in place, up to date and optimized to effectively outline the roles and responsibilities of all parties.
Once you’ve established who is coming into contact with your health care data, it’s crucial to determine what level of service those third parties will provide, particularly so that no security responsibilities are neglected. For example, if your cloud hosting provider assumes your organization will implement and update your firewalls, but your organization assumes the cloud hosting provider will be handling firewall maintenance, that crucial security measure will be neglected and your data will be vulnerable. Clearly defining third-party responsibilities and policies for topics such as equipment use, network use, virtualization technologies and incident response can help ensure security and prevent potential liabilities in the event of a breach.
Establish KPIs
Establish key performance indicators to continually ensure all parties are complying with those SLAs.
SLAs can help you keep tabs on third parties and eliminate any confusion about who’s responsible for what, but it can be tricky to determine if all parties are actually complying with the responsibilities and policies outlined in the SLAs. Establishing mutually agreed upon KPIs with all participating parties can help you gauge their impact and improve communication. By objectively measuring items like service-delivery effectiveness, performance efficiency or agility (i.e., ability to respond to changes), you can begin to prioritize the KPIs that matter most to your organization. You can also better detect early warning signs of problems with SLAs, and use your KPIs as the basis for a discussion about improving or expanding your SLA with a third party.
Know Your Insider Threats
Do you know which applications, processes, and users are accessing personally identifiable information (PII) in your systems? Can you be certain that PII access is limited to only approved and authorized users? Health care organizations need to be able to answer these questions, because even with tight security controls in place, insiders can often obtain unauthorized access to highly confidential data like PII. Continuous security monitoring can mitigate this security risk by offering constant visibility into the processes, users and network activity related to PII while still allowing your organization to function at its normal velocity. Health care organizations should also employ additional security controls for their employees’ mobile devices (including encryption, secure passwords and app usage monitoring) and enforce strict “shadow IT” policies. By monitoring which work-related cloud services or SaaS products employees are using and ensuring work-related passwords aren’t used for those accounts, it will be much more difficult for attackers to leverage employee information to gain access to your data.
Defend Against External Threats
Millions of patient records are processed and stored across health care networks each year. And unfortunately, this data — in transit or at rest — is a high-value target for attackers. In order to mitigate external security threats, health care organizations must identify any areas of potential weakness. For instance, do you know if your systems are connected to external command and control applications? Do you know the types of reconnaissance and exploitation attempts that are being directed at your servers in the cloud? You can’t protect against attacks you can’t see, so continuous security monitoring can be helpful here. It can provide host-level intrusion detection based on behavior changes (rather than on specific attack signatures) and when deployed across your entire infrastructure, it can identify security gaps so you can take action and reduce your attack surface. Also, it’s important for health care organizations to remember to secure their physical infrastructure. While cloud services are often mentioned in connection with health care data breaches, the majority of breaches are a result of outsiders taking advantage of an unattended mobile phone or laptop.
