Research reveals that the total number of data breaches in healthcare has doubled over the last three years. If that doesn’t prompt you to reexamine your organization’s security posture, the financial toll of these incidents might be: The average cost of a healthcare data breach is now $11M.
Despite these alarming trends, most data breaches can still be prevented by implementing the foundational principles of strong cybersecurity. Here are six measures healthcare organizations can take to protect patient records and other sensitive data.
- Use multi-factor authentication
There’s a common saying among cybersecurity professionals: Hackers are no longer breaking into systems, they’re just logging in. Systems that only require a username and password for entry are incredibly vulnerable, as approximately half of all breaches start with compromised credentials.
Multi-factor authentication (MFA), as its name suggests, requires users to authenticate their identities using more than just their credentials, such as by entering a unique code sent to an external email address or successfully answering a security question. This adds a layer of protection by introducing another element bad actors would need in order to get into a system.
- Adopt zero-trust principles
In the early days of the internet, computers were inherently “trusting.” That is when prompted to perform a certain set of commands, systems would generally execute them without question. That might make for a smooth user experience, but not the most secure.
More recently, zero-trust principles have taken off, wherein access is denied by default and only granted after confirming that a user or application has permission to access a network or perform an action. Applying zero-trust principles makes it challenging for threat actors to bounce around a network because they have to continually prove they are who they say they are, that they have the right privileges in a network, and so on.
Additionally, it is important for users to explicitly verify that other users are who they say they are. When opening emails, for instance, users should check that the email address is in their network or is from a trusted contact before clicking any links in the body. An organization may have a dedicated security workgroup, but the reality is that cybersecurity is a team effort requiring vigilance among all associates—and regular training to reinforce good security hygiene and habits.
- Apply least privilege access
The more privileges users have on a system, the more opportunities there are to damage the system. Bearing this in mind, least privilege access means users are limited to privileges that are necessary to complete their tasks and nothing more. For example, if there are users who simply need to use a word processor and basic email functions, they do not need to have the ability to change security settings on their device or look at other users’ login credentials. This also means that if a threat actor uses a person’s information to breach a system, they can only get as far as the permissions allow for that individual user whose information was stolen.
As an analogy, think of a large apartment complex. Tenants might need separate keys to access the building, their units, mailboxes and communal spaces like a pool. If least privilege access principles were applied, staff members who maintain the pool would only need keys to the pool. In the event their keys were stolen, trespassers would not have access to tenants’ units.
- Assume breach
“Assume breach” is a cybersecurity concept wherein teams do not rely on their perimeter security tools and capabilities to be completely impenetrable. Instead, they also think about their internal security, should a breach ever occur. Security teams with this mentality perform assumed breach tests, wherein penetration testers are allowed through the perimeter security to see how well internal security tools protect the network. This type of test measures how effectively an organization applies the concept of “defense in depth,” or how well security is layered at all levels of a network/organization.
Using the apartment analogy again, imagine if residents did not lock their doors and only relied on a security gate surrounding the building. This would be a poor defense in depth. Conducting an assumed breach test in the complex would mean probing how well additional layers of security (e.g., locking windows, apartment units’ front doors, safes owned by tenants) protect their valuables from being stolen, even though the outermost layer of security has been breached.
- Leverage modern anti-malware
Earlier anti-malware relied solely on signature-based analysis to detect threats. Under this methodology, a file hash, or a multicharacter string of letters and numbers, is created for each file as a unique identifier. When malware is discovered on the internet, security teams can record that file hash in a database. Then, when antivirus software scans the system, it looks for any files that match a hash within its database. However, hackers eventually caught on to this approach and learned many ways to bypass it, making signature-based analysis ineffective as a standalone solution.
Because of the cat-and-mouse game between cyber-defenders and cyber threats, modern anti-malware goes a step further, performing behavioral or heuristic analysis. This anti-malware methodology detects behavior performed on a system that is out of the ordinary and flags it. For example, if a program is trying to look for usernames and passwords on a system but does not usually perform those actions, the anti-malware will report the suspicious activity.
- Keep up to date
“Evolving threat landscape” isn’t just a buzzy term in cybersecurity. Bad actors are always looking for new ways to get into systems, so cyber-defenders must always monitor for and protect against them. One resource helpful in outrunning this digital hamster wheel is MITRE, a non-profit organization that conducts research and development on cybersecurity threats. It tracks common vulnerabilities and exposures (CVEs), and anyone can submit notes on a newly discovered vulnerability to the organization. MITRE then documents the vulnerability in a particular product, what type of vulnerability it is, what information hackers can get if they exploit that vulnerability and steps on how to fix it (also known as patches).
Similarly, big tech corporations like Microsoft bring awareness to vulnerabilities through Patch Tuesdays and other similar events, releasing security fixes at regular intervals. Keeping up with patches is crucial because, once they are released, hackers will look for systems that have not addressed those vulnerabilities.
Maintain a strong foundation
In the health IT space, there is often a tendency to treat new innovations like shiny objects. While there will always be emerging technologies in health IT and cybersecurity, professionals in our field cannot forget the foundational measures that build the best defenses for our organizations. No number of shiny add-ons and tools will make up for a poor cybersecurity foundation. As healthcare becomes more and more digitized, those of us in the industry must never lose sight of the importance of protecting data—and in turn, protecting the safety and health of our patients.
About Brian Montgomery
Brian Montgomery is a Senior Security Engineer on Altera Digital Health’s internal penetration testing team. An ex-hacker for the U.S. Army and the National Security Agency, Brian obtained his master’s degree in cybersecurity studies and has obtained several technical certifications, including CISSP, GPEN, CEH, and Pentest+. Montgomery has a passion for helping spread awareness of cybersecurity and its related issues by focusing on the cybersecurity industry from the mindset of a hacker. With this mindset, he works on Altera’s internal penetration testing team improving Altera’s security posture and maturing its offensive cybersecurity capabilities