How to beat cyber risks to your healthcare or medical business
By Ken Michael
Every industry faces its own unique set of cyber threats and the healthcare industry is no exception. The reality is no industry or organization is completely bulletproof when it comes to cybersecurity but there are ways to mitigate threats to businesses by implementing the right IT products and services. Here’s a look at the top three threats to the healthcare industry today and ideas for combating them.
By understanding the specific risks to your industry and business, you can best mitigate threats and use your security budget wisely. Now in its 11th year, one of the greatest tools for assessing cybersecurity risk is the Data Breach Investigations Report (DBIR) by Verizon. The report is issued on an annual basis and analyzes cybersecurity incidents and breaches from numerous industries including healthcare.
A History of Threats
Between 2016 and 2018, data from the Verizon DBIR shows consistent threats facing healthcare. The top three threats over the last three years to the healthcare industry include stolen assets and the physical loss of data, privilege misuse and abuse (insider threats), and miscellaneous errors. Of the breaches reported, 79 percent were medical related while 37 percent were personal and 4 percent had to do with payment systems.
Data from the DBIR over the last three years also shows cybersecurity incidents and confirmed breaches are on the rise in healthcare. According to the 2016 DBIR, there were 166 confirmed breaches in the industry while the most recent 2018 report shows there were 536 confirmed breaches and 750 incidents. Healthcare has the third largest number of breaches and incidents among all industries studied in the report.
Lost & Stolen Assets
While retailers are most likely to get hit by remote attacks involving point of sale (POS) terminals and controllers, healthcare is also impacted as patients make transactions both at medical facilities, by mail, and online. Remote card breaches are still common and the use of stolen credentials to access POS environments was on the rise in 2016. “Command and control functionalities are being reported at a much higher rate than in years past…,” according to the 2016 report.
The scraping of RAM continued to be an issue according to the 2016 report, which also determined keylogging malware played a significant role in many POS attacks. The latter method allows valid login credentials to be captured and used against a business.
Small businesses may be especially at risk as their POS environment may simply be a single computer that processes payments but is also used for tasks such as using social media, checking personal email, and other web-based functions. This can open the door to risk for “the POS application which is all alone with no anti-virus or host-based firewall to talk to,” read the 2016 report. The 2017 report showed 61 percent of data breach victims that year were businesses with fewer than 1,000 employees further emphasizing the need for small businesses to protect themselves.
Larger businesses also continued to suffer from POS breaches as well such as the one Target experienced in 2013 that affected 41 million consumers and cost the company $18.5 million. These larger POS breaches are typically the result of static, single-factor authentication.
Insist on MFA
One way to combat stolen assets such as funds through a POS environment is to require multi-factor authentication (MFA) in every means possible. Multi-factor authentication can be as simple as a hardware token or a mobile application. From requiring employees to wear identification cards and use codes for accessing a building to protect the physical security of your business to requiring two means of authentication for logging into a network, MFA can help save the day (and your data).
Brute force attacks are down but are still relevant, according to the 2016 report. The 2017 report showed 80 percent of hacking-related breaches leveraged either stolen passwords or passwords that were too weak or were simply guessable.
To push this number down, both small and medium businesses must incorporate stronger passwords. Using personal information with simple text is not enough to keep a cybercriminal at bay. All passwords should include at least one of each of the following: Capital letters, lowercase letters, numerals, and a special characters. To learn more about crafting better passwords, see the Dox blog on problems with passwords and how to address them.
Things like cell phones, USBs, and tablets get lost and misplaced. There are also thieves in the world that will gladly take a laptop if given the opportunity. Protect your data by encrypting all devices tied to your business. This measure can help stop theft and loss incidents that have the potential to turn into breaches. An added measure is to establish a corporate culture where printing sensitive data is frowned upon as the majority of confirmed breaches in 2017 involved the loss of hardcopy documents.
Connect with your IT department or reach out to an IT organization like Dox to determine what monitoring options are available for your POS environment. You’ll want software that can track and verify remote logins that are abnormal so you can stop breaches before they happen or early on.
Keep ‘Em Separated
Your POS environment should be kept completely separate from your corporate LAN. This may require extra hardware such as additional computers but will help ensure that your POS environment is not visible to the entire internet. This helps to keep it better protected.
Insider Abuse & Privilege Misuse
Healthcare is the only industry in which internal threats were greater than external threats, according to the 2018 DBIR. Of those threats, 56 percent were internal and 43 percent were external.
Though some internal abuse stems from curiosity or fun (13 percent) such as researching a celebrity patient, the other 43 percent was accidental or malicious in nature. Insiders absconded with data in the hopes of converting the stolen trove into cash. In some cases, employees took information to a new employer or to launch a new company (15 percent) or were caught snooping around without permission (17 percent).
When researchers looked at which insiders were causing the most problems, nearly a “third were end users with access to sensitive data as a requirement to do their jobs.” Only 14 percent were in management or e-suite leadership roles and another 14 percent was attributed to those with elevated access privileges such as developers or system administrators, according to the 2016 report. That means the greatest number of insiders abusing or misusing their privileges were lower-level employees.
“Insider incidents are the hardest and take the longest to detect,” reads the 2016 DBIR. “Of all the incidents, these insider misuse cases are the most likely to take months or years to discover.”
Whether by accident or on purpose, insider misuse and abuse is so difficult to detect because they have the ability to wreak havoc with your data from inside the carefully constructed defenses of your business or organization. With insider misuse and abuse cases, there is often collusion between internal and external actors, according to the 2016 report.
The rule here is to forget about titles and look at user access. Business leaders should retain a healthy level of suspicion toward all employees and use the rule of least privilege to restrict data access to a “need to know” basis. Implement limiting, logging, and monitoring of use. You can read more about reviewing user roles and responsibilities.
While bonding with your employees and spoiling them with donuts on Friday mornings is great, they need to be watched. Be on the lookout for large data transfers as this is a red flag. Company leadership should monitor the activity of every employee with a particular focus on those with access to “monetizable data such as financial account information, personally identifiable information (PII), payment cards, and medical records.”
Be especially cognizant of the use of USB drives by employees. Audits in the 2016 dataset showed that after an employee left, evidence was often found that they had used a USB drive to transfer data before they departed. We highly recommend taking measures such as logging metadata and employing software to identify use of portable drives sooner rather than later.
Watch Your Data
In order to effectively protect your data, you need to know where it is and who has access to it. Ensure that leadership is aware of where all data is stored, particularly sensitive data, whether in electronic or paper format. Be careful about who has access to both types of data and to what degree. You can learn more about insider use and abuse in the Dox blog.
Alexander Pope wrote, “To err is human…” This is absolutely true when it comes to technology. Breaches and lost data can result from the unintentional actions of your employees. Losing information by employee error often occurs in one of three ways: Misdelivery, publishing, and disposal.
The most prevalent error, per the 2016 report, was the “misdelivery of information in both paper and digital forms.” In 2016 and 2017, phishing was the top means of hacking into networks which can allow the installation of persistent malware. The 2017 report found one in 14 users were duped into following a link or opening an attachment and of those tricked, 25 percent had it happen more than once.
Misdelivery means sending emails or documents with sensitive data to the wrong recipient. This can occur when an employee is overworked, under time or workload pressure, or simply has other things on their mind. Hitting the send button on a sensitive email before double checking the recipient list can cause serious issues as can sending a patient’s bill to the wrong address.
The publication of information for an unintended audience, such as pushing classified data to the internet, remains in the top five errors. This can occur when data is added to social media or opened to the internet. An employee may accidentally publish private data to a public website or unencrypted data attached to emails can be easily stolen.
Also among the top five mistakes that can lead to a breach is improper disposal of sensitive data. These are primarily documents that are inadvertently thrown in the trash without being shredded or disposed of by more private means. Employees accidentally throw away everything from sticky notes with logins and passwords to printed paper with patient information.
Learn from Mistakes
Your business or organization should learn from the mistakes of its employees. Keep records of common errors that have led to data loss and share this information with your staff along with ways to combat such mistakes. For example, did an employee accidentally cc: all staff in a private email? This is where some great security training comes in.
Use the data your company has kept to add controls addressing common mistakes. While not every mistake will ever be fully covered, adding controls can minimize the frequency of occurrences and perhaps mitigate the damage they do. Develop and enforce formal procedures for disposing of anything that might contain sensitive data. Institute a four eyes policy (i.e. two people viewing every document) before anything is published.
Training for the Win
One of the best controls for addressing end-user errors is to provide regular security awareness training. In addition to new employees who should be receiving training during the onboarding process, all employees should receive ongoing security awareness training at least once a year. Read more about the need for annual training.
Train employees about the proper disposal of information. This can range from properly wiping all assets such as laptops and cell phones before they are disposed of or resold to the shredding of printed documents. All assets should go through a rigorous check and recheck by your IT department before they are decommissioned. The 2016 report showed assets sold to third-parties often contained personally identifiable information (PII) and other sensitive data. Learn more about the proper disposal of paper documents and data through our blog.
According to the 2018 Verizon report, 76 percent of breaches were financially motivated. Cybercriminals are simply after cold, hard cash and will get it any way they can. Data from the report shows they are most likely to target businesses that are unprepared.
While insiders were motivated most frequently by monetary gains, 25 percent was attributed to espionage, which is also connected with many insider breaches. Since 2009, there has been a rise in espionage-motivated insider abuse. This is especially true with exiting employees that make have taken valuable, proprietary data with them.
In 2018, 68 percent of breaches took months or longer to discover and they were often discovered by a third party such as a business partner, law enforcement, or, worse, a customer. Such breaches can do irreparable damage to the reputation of your business, costing you lost revenue, lawsuits, or worse.
The reality is data breaches are not just a problem for a business’s IT department. Breaches cause trouble throughout a business from employees who can’t access tools to do their jobs to the attorneys who handle litigation resulting from such hacks. The truth of the matter is that it is everyone’s responsibility to mitigate and manage risk.
Regardless of what your business may need from hardware to software or regular employee training, Dox is here to help. If your organization needs assistance, send us a message online or call us now at (585) 473-7766. Thanks for your time and stay safe online.