If you look at all the data breaches that took place in 2014, you might conclude that healthcare organizations have lax cybersecurity protocols. You’d be wrong, but it’s not hard to see how you might reach that conclusion. Last year, the healthcare sector reported more breaches—333 in all—than any other industry. Like any symptom viewed in isolation, diagnosing the real ailment in the healthcare industry requires a more thorough examination. Want to know why hackers are so intent on breaking into healthcare organizations’ systems—and so successful? Here are the top reasons:
Healthcare data is the most valuable data of all.
If a hacker goes through the trouble of infiltrating, say, an e-commerce vendor or a brick-and-mortar retailer, he’ll walk away with thousands or hundreds of thousands of credit card numbers. That’s no small haul, but credit card companies and consumers have learned to deal with breaches. Banks assign their customers new numbers, issue them new cards and promise to wipe any suspicious charges. By the time hackers can sell their stolen card data, much of it is useless. Healthcare data, by contrast, gives criminals just about everything they need to steal identities, creating valuable goods to sell on the black market. A breach at a health insurance company, for example, could yield data ranging from bank account and Social Security numbers to medical history to family names and beyond. Think of all of the fraudulent accounts a criminal could open simply by getting ahold of a customer’s Social Security number, her address and her mother’s maiden name.
In an industry where everything is sensitive and regulated, workers resist additional controls.
Just like chief information security officers in other industries, CISOs working in healthcare evaluate their vulnerabilities and their priority technology upgrades on an ongoing basis. Because of healthcare information’s depth, deploying new technology can be complex, but selling users on that technology and its associated security protocols can be seriously challenging. A doctor who has to endure multiple controls just to prescribe medication or complete another mundane task might understandably bristle when the security team introduces multi-factor authentication or some other process that he views as just another obstacle to doing his job.
Human beings—including medical providers—are fallible, and hackers know it.
When my wife was in the hospital for the birth of our daughter, I noticed something during every nursing shift. The staff left patient folders open on the front desk. There was ample security to protect newborns themselves, but not to protect their data. Harried working conditions also contribute to the potential exposure of digital data. If an over-tired doctor heads home after a 20-hour shift and forgets his laptop in the taxi, that could be just the opening a criminal needs to access an entire healthcare system. Humans aren’t error proof, which is why the technology, particularly in healthcare, has to be.
A hacker only needs to be right once; the healthcare organization needs to be right all the time.
For every high-profile data breach affecting a healthcare organization during the past 18 months, there are experts ready to say, “They should have known better.” “They should have known laptops have to be encrypted.” “They should have known they had to train their staff to avoid phishing scams.” “They should have known...” Whatever security protocol completes that should-have-known statement, the reality is that no one can predict every scenario. If you try to manage data security through prediction, you will fail. It’s always a race between the good guys and the bad guys, and the bad guys only have to get it right one time to do serious damage. Instead of trying to predict and prevent every possible attack method, security teams need to implement technology capable of understanding normal user behavior and sounding alerts when activity deviates from established patterns.
The healthcare industry is at a pivotal point in terms of its data security. After a record year of data leaks and losses, security leaders know the havoc breaches wreak, and they know it’s time to re-evaluate their defenses. Instead of deploying tools that can only withstand one type of attack or implementing processes that ignore the inherent fallibility of human end users, CISOs need to pay attention to the user data itself. By focusing on user behavior intelligence, healthcare organizations can spot and stop attacks before hackers fatally damage their reputations.
Barry Shteiman is director of the San Mateo, Calif.-based user behavior intelligence provider Exabeam Labs. He has more than 11 years of experience in the information security field, including leading research, development and sales teams. Prior to joining Exabeam, Shteiman was the director of security strategy at Imperva.