Lessons in preventing data breaches in healthcare organizations
By Matt Phillion
As vaccines for COVID-19 begin to reach more and more people, excitement is building at the prospect of a return to normalcy. But the rollout has also highlighted an ever-present threat in healthcare—and all industries—that has become more prevalent during the pandemic: cyberattacks.
The risks of cyberattacks on hospitals and other healthcare settings was already high pre-pandemic, as these institutions work with sensitive data, like patient information. But attackers never let an opportunity go to waste, and they’ve already targeted the manufacturing and distribution of COVID-19 vaccines—including a known attack on Pfizer.
Healthcare is in a unique position when it comes to cyberattacks. Its data is valuable, and the prominence of contractors, contingent workers, and non-human workers (think medical devices with internet access, for example) offers additional channels for cyberattacks to target. These workers, human and non-, require access to key systems and data to get their jobs done. But securing that access can sometimes be an afterthought for organizations as they look to upgrade or improve their overall cybersecurity posture.
What are the biggest security risks right now for healthcare organizations?
“Third parties are really a top risk. In fact, 59% of all breaches are linked to third parties,” says David Pignolet, president and CEO of SecZetta, which addresses the growing need for better IT security and identity and access management across multiple industries. Roughly half of the organizations SecZetta works with are in healthcare.
“So how can healthcare organizations do a better job? They have to manage the human, and their relationship with the organization,” says Pignolet.
He notes, “You manage the risk of the individual whom you’re granting access to by properly managing their identity life cycle. Typically, organizations have good rigor in place to do this for their full-time employees, but in a healthcare organization there’s a lot of third parties—doctors, nurses, you go down the enterprise and you’ll often find the number of third parties are in excess of the actual population of employees.”
There are tools to manage those risks, however. With the rise of remote workers, the need for comprehensive identity and access management is more important than ever before. “In a pandemic world, you’ve got the riskiest type of users with the riskiest type of access and a fraction of the control you have over employees,” says Pignolet.
One of the issues hospitals need to deal with is something often seen in other areas of safety: A vendor may say they’re taking steps to secure your information, but are they really? It’s worth verifying that a vendor is as secure as they claim.
“It goes beyond controls for access,” says Pignolet. “You’ll want to verify who they are, where they’re located. If someone’s supposed to be in the U.S. and suddenly logs in from China, that’s a problem.”
In addition to human third-party users, many third parties are non-human workers such as devices, robotic process automation, bots, or scripts. These users can sometimes require privileged access, and often that access is not as well managed as it is for humans. “There’s no relationship to a manager in the organization, per se,” says Pignolet.
He goes on to say that you have to tie sponsorship to these non-human workers. Somebody in the organization should be able to attest whether the third parties should exist at all, let alone be granted the access they’re requesting.
Nothing is forever—including access to data
One of the reasons these issues exist, Pignolet says, is slow termination of access. These outside entities, be they third parties or non-human workers, are defined by what they do for the business, not the access they’re granted.
“You end up with all this orphaned account access being used, or worse, the credentials being stolen,” says Pignolet.
Keeping up with access management can be difficult given how many regulatory and compliance demands are placed on the healthcare industry. Those demands aren’t unreasonable, but they can create a culture of checking a box rather than focusing on the underlying reason for the security measures.
“A lot of these regulatory or compliance demands have driven security that may not be sufficient, but they check the box, at least,” says Pignolet. “What healthcare needs to do is move on from check-the-box compliance to actual risk mitigation. Actually controlling risk in the organization, not just doing the things that will get them past an audit.”
It’s a matter of taking that next step in the thinking process. “Why do the regulatory compliance demands exist? To protect people’s data,” says Pignolet. And while legislation might be well meaning, it can’t move fast enough to set forth the controls needed to define risk in a world of cyberthreats that change day to day, if not minute to minute.
How do we look forward?
While it’s one thing to have a policy on cybersecurity risk management, it’s another thing to enforce it. Organizations that look at cybersecurity as a “task” rather than as risk mitigation will tend to generate stopgap measures instead of a culture shift.
“There’s a problem they need to solve, so they throw Band-Aids at it,” says Pignolet.
Of particular interest is the “Wild West” of third-party access, Pignolet says. Organizations tend to use employee-centric policies and tools for managing third-party access, which is often not effective.
“You have control over the employees, and it’s much more well defined, centralized, and controlled by the organization itself. Access is trusted based on that control,” he says. “With third parties, you have controls agreed upon by the vendor, but if you grant access as an employee, there’s more risk. We think you should silo these populations, manage them in a purpose-built way. Their relationship is very different from an employee.”
It’s pivotal to treat these third parties and non-human workers as unique, and to manage them specific to their needs and security risks. “We need to be extra diligent,” says Pignolet.
Best practices to consider adopting should address risk-based authentication, onboarding, and ensuring access is terminated in a timely fashion. “That can be driven by good process relationship management,” Pignolet says.
In addition, anyone you grant access to should be offered security awareness training, particularly in times of greater risk.
“Education is key within any enterprise,” says Pignolet, and not just for the end users. Selling better security controls to the C-suite pays dividends, too. Security goes beyond just buying a tool—the tool needs to be implemented and managed if it’s going to prevent an expensive breach.
“Everyone should be on guard,” he says. “Foster a culture of security awareness.”
Attackers will often go after low-hanging fruit, phishing for credentials from low-level users to leverage for deeper access. Using a good authentication tool, something that includes geographic location, time to log in, and other factors for validating the user, can go a long way. In many cases, Pignolet says, there’s a movement away from even using usernames and passwords at all and relying on more secure—and less easily stolen—methods for providing access.
Another factor to consider: the ability to turn off access quickly and effectively in the event of a breach. “If you’re a provider and you just read that your vendor was breached, most organizations don’t even have a collective source for how many people with that vendor have access. Single-click turnoff for access, or even an automated function to turn it off—there’s all kinds of functions you can put in place,” says Pignolet.
Interestingly, Pignolet adds, the focus on cybersecurity is now at the forefront for many higher-ups in ways it wasn’t just a few years ago.
“Mitigation and risk and access of systems is rising. It’s usually a board-level conversation now,” he says. “Five years ago, that might not have been the case.”
Healthcare cyberattacks by the numbers
- Hospitals lack dedicated security staff: in 2019, a survey by Black Book Market Research found that only 21% of hospitals surveyed reported having a dedicated security executive—and only 6% of those respondents identified that person as the chief information officer.
- Facilities are relying more on contingent labor: Via Modern Health, 83% of hospitals are now using contingent labor to fill vacant positions.
- Breaches are expensive: According to the Healthcare Innovation Group, the average cost for a healthcare breach is $429 per breached record, nearly three times the cross-industry average.
- Breaches are on the rise: According to the HIPAA Journal, in 2019, the industry saw a 196% increase in breaches from the previous year—including 510 healthcare data breaches of 500 records or more.
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at firstname.lastname@example.org.