Healthcare security and data protection – a unique challenge
Healthcare ecosystem’s core mission is to provide the best care possible to the end users. This industry is in the process of transforming the delivery of care to end users with IT, security, and privacy serving as enablers. The new generation application explosion has created a big impact in the healthcare networks, wherein the data needs to be seamlessly and securely transmitted via both wired and wireless networks.
Belmont and Golding said, “Healthcare is more vulnerable to hacks than other industries because medical records are so valuable”. These data are sold in the black market by certain fraudsters and miscreants.
Healthcare industry’s inability to keep sensitive data secure could undermine the industry’s ability to transform. This inability puts the organizations at high risk on financials and credibility to protect the data and privacy. A comprehensive security approach is required to protect high-profile attacks on healthcare organizations.
According to the newly released “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data”, Ponemon report commissioned by ID Experts,
- the data breaches cost the healthcare industry about $6.2 billion
- 79% of healthcare organizations say that they confronted at least 2 data breaches in the last 2 years, while 45% claim to have faced more than five breaches
A study last year by Raytheon and Websense found that healthcare organizations are twice vulnerable to suffer a data breach than other industries. To add fuel to fire, a lot of healthcare organizations have already been failing in their application security programs, infrastructure and practices as well, according to the Building Security in Maturity Model (BSIMM) study.
Per a 2016 survey from HIMSS analytics, overall, the number of healthcare attacks over the past five years have increased by 125%. Cybercrime-based attacks remain the number one cause for data breaches. The rest were rooted in insider woes: 41% via a lost or stolen device and 36% via an “unintentional” employee act. Around 13% cite a malicious insider attack.
So, how to contain the risk?
The organization should ideally incorporate a proactive incidence anticipation and response process and this should be incorporated by considering the overall industry trends. A security framework that incorporates best practices and recommendations from NIST, HIPAA, ISO, FedRAMP and FISMA should be in place and be diligently practiced.
The real-time monitoring of production system, isolation and restricted access, hardening of system, regular update of the operating system, firewall and security tools are some of the stepping stones towards achieving the objective. The organization should perform in-depth analysis of tools and software that the it plans to use before they are incorporated into their system.
Each organization should have a dedicated security / expert team that works with legal and security experts from across the industry to build better processes and plans to comprehensively reduce cyber-attacks and improve the safety and protection of data.
Tailoring the IT tools to a firm’s specific technology stacks and potential attackers is again a good idea. OWASP (Open Web Application Security Project ) provides the know-hows to check and implement several security parameters. While fortifying the security parameters is very much needed, it is obviously not the way to approach towards building a secure IT infrastructure design. Bolstering the security of a healthcare organization requires a comprehensive security design, right implementation, periodic tests on vulnerabilities and continuous monitoring of any potential threats & the industry level security trends; more so, these are some of the important phases that should ideally be made a part of the software development and deployment life cycle.