February 05, 2020//Ellen NeveuxLast Updated: February 17, 2020
Healthcare data breaches are increasing exponentially year after year, and it doesn’t seem like they’re going to slow down any time soon. In order for IT healthcare professionals to take steps to safeguard their systems, it’s critical for them to understand why healthcare data holds so much value for hackers.
Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach. Often these attacks see hundreds of thousands of patient data compromised or stolen by those with malicious intent. According to a Trustwave report a healthcare record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card). Because of the desirability of the data and the lure of monetary gain, it is important that this security threat is not underestimated by the Healthcare Industry IT professionals and that steps are taken to safeguard this data.
According to a Protenus report, the healthcare industry was on pace for a breach a day in 2017. And honestly, it feels like that still three years later. A good chunk of these breaches can be attributable to hackers getting their access through third-party vendors. And what’s crazy, is that the Ponemon Insititute found that if a third party causes a data breach, the cost of the attack increases by more than $370,000. Most research suggests the attack vectors are most likely to be ransomware (a new favorite tactic is to ransom the data and then sell it right back to the healthcare data owner), or malicious SQL injection attacks that can occur when malicious emails, websites, or software is installed or accessed within a network, often by an unwitting user.
Seeing this should be a wake-up call, and believe me, it’s easy to see frightening information like this and want to duck and cover. But we all know that duck and cover practices are ineffective and wouldn’t save anyone, it only makes an actual issue less frightening. Instead, we’re going to impart some real actionable advice in this post.
The vulnerabilities the industry faces were exposed in a particularly malicious ransomware attack against Hancock Health not even halfway through January 2018. According to Healthcare IT News, the first reported attack of 2018 was sophisticated, calculating, and motivated by financial gain. The attack forced the hospital’s IT staff to shut down their systems while their patient’s personally identifiable information was held hostage. It’d be nice to imagine a Nakatomi situation, where a heroic everyman could have saved the DAY and the data. However, in this situation, an after-the-fact solution just wasn’t possible.
The Hancock Health breach was traced to the hacker using a vendor’s remote access portal and credentials. And as many industry professionals agree a network is only as strong as its weakest credentials, so when access was opened up to third parties it added a layer of risk that should have been entirely avoidable. The hospital was later compelled by the attacker to pay $55,000 using the cryptocurrency bitcoin in order to release the data. The only preventative measures to prevent similar attacks against your institution are practical defensive solutions. The IT healthcare professional needs to be prepared and know who is accessing their company resources from third-party vendors up.
Similarly, in May 2019, the American Medical Collection Agency (AMCA), a “business associate” of a number of healthcare providers, reported an eight-month data breach had exposed sensitive information for more than 20 million patients. The event brought into sharp focus the risks facing healthcare providers who depend on outside vendors for support services.
Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers— also referred to as “covered entities”— can share protected health care information with vendors and business associates. Business associates can be anything from claims processors, bill collectors, and accounting firms to consultants, attorneys, claims clearinghouses, and medical transcriptionists. While vendors can offer more operation-critical services, they do require remote access to your network and sensitive data. Which, of course, makes them a huge threat to healthcare facilities.
Because of the number of interconnected devices in healthcare, opportunistic attacks are becoming more and more commonplace because there is a need for an organization to share information across devices and with third-party vendors. A network’s integrity is weakened by these vendors, who may have access to a site’s data through a VPN or multiple shared credentials. Email is another vector for hackers to use via a third-party’s access. Attackers are aware that email is often a weak spot and will use this to take advantage and will use phishing attempts to gain entry to a third-party vendor’s vetted, yet still un-secure, network access.
And, of course, hackers can get a lot of data on a single person when targeting a healthcare facility. Sure, credit card information is great; but ePHI is even better.
First of all, no we’re not descending into Mad Max times. It’s not yet a lawless wasteland. While there is an undeniable proliferation of attacks and an increase in data breaches, a number that only seems to be rising, it is certainly possible for IT professionals to defend against any rampaging apocalyptic marauders.
Healthcare IT departments need to act as if a threat to their network and ePHI is imminent and respond as such. Ultimately a network is more secure when all individuals accessing the network can be identified and tracked. It is important to know who is on your network, when they’re on your network, why they are on your network, and what they did while they were on your network. As an IT professional it behooves you to establish a praxis where all of your access points are monitored and secure, as well as each client, vendor, or end-user only has the minimum amount of access required to do business. You need to secure the vault before the first robbery.
Doing the above allows you to assess your current company policies, and identify areas of weakness. However, simply looking within the organization isn’t enough. As a healthcare IT support professional, it falls on you to look at external relationships and work to shore up all potential weaknesses in these third-party relationships.
It is important to be aware that the best defense against a data breach or attack is to be prepared for an attack from multiple vectors and assailants. The reputation of a disgruntled youth in a basement may have origins in truth; however, it is far more likely that attacks are sophisticated, coordinated, and orchestrated by criminal organizations, or foreign states in addition to the motivated criminal individual. With most networks possessing multiple unsecured entry points, a proliferation of cloud-based services, and multiple connected devices inherent to the reality of conducting business in the healthcare industry makes for an increased “attack surface,” where a single vulnerability invites an attack.
Mapping this attack surface and notating all points of entry and high-risk points can make it easier to continually assess, reassess, and reveal weaknesses. Mapping offers an opportunity to take a close look at how data is accessed on your network. You’re likely to discover that many access points (e.g. remote desktop, messaging applications, or VPN) are ad-hoc and not designed for the level of usage their deployment often demands. The goal here is to make your business a harder target. Most breaches are opportunistic in nature. Employing rigid standards of security and reinforcing your access portals goes a long way to closing down dangerous opportunities without sacrificing business-necessary access.
It’s clear that third-party vendors that access your network are a weak point that dramatically increases the risk of a security breach. In fact, 59% of data breaches are attributed to third-party vendors.
Download our HIPAA and HITECH Brochure for Privileged Remote Access to learn how you can eliminate the third-party vulnerabilities that can threaten HIPAA and HITECH compliance. You can count on the granular access control and monitoring features you need to secure your third-party access.