[ad_1]
Highly regulated industries have always led the way for best practices in accounting, information technology, and cyber security. Laws and regulations have mandated certain procedures to be followed and in order to gain a competitive advantage, shortcuts that are now regulated have been eliminated. This has leveled the playing field from money spent on data security to approved technology allowed for medical care.
While extreme differences still exist in quality and type of care, the business part of the healthcare industry has slowly seen conformity due to these regulations. This affects all types of healthcare from hospitals to family practitioners. All data must be secured, transmitted using specific protocols, and insurance forms completed in a specific manor.
However, these business practices have led to weaknesses in the process that have been exploited just like any other cyber security vulnerability. Since they are all standardized, the threats and potential monetization have become real threats for all types of healthcare services.
Emerging and Growing Threats to Healthcare Information
Now that many processes are standardized, threats against healthcare leverage weaknesses in data protocols and procedures used to store, process, and invoice for services. For example, consider the $65-million-dollar fraud allegedly committed in this article. The alleged criminals understood how the standardized billing services work for Tricare and invoiced millions of dollars using the system to commit the crime regardless of the scam itself.
While this is an extreme case, hacking a healthcare provider to steal patient information must still be monetized on the dark web. If you understand the billing practices for insurers, or can siphon off information directly from protocols like DICOM, then monetizing the attack is much easier and potentially more profitable. This does not mean threats like ransomware and phishing are going away. They are still very real and a huge problem. The evolution of hacks is shifting to the weaknesses that regulation and standardization are requiring from all providers and insurers.
Improvements to Better Protect Healthcare Information
For the healthcare industry, information technology needs to learn from the best practices in medicine and adopt preventive care. Information technology should perform regular tests, screening, assessments, and other security best practices to ensure all applications are up to date, properly patched for vulnerabilities, and not misconfigured. This is analogous to making sure your child has all of their shots, is checked regularly for hearing and vision problems, and does not have any conditions like scoliosis.
If healthcare can think along the same mindset using standards like (medical protocols) SANS 20 and FedRAMP to protect information, then sensitive client information can be protected much better because the risks can be identified early and treated; just like diagnosing a person.
Barriers to Improving Cyber-Security Efforts in the Healthcare Sector
The biggest barriers in improving cybersecurity in healthcare are not only money or established technology. Security professionals know how to fix many of these problems even on a shoe string budget. The problems in healthcare cybersecurity are technologies they use daily that have been traditionally out of scope (until now) for hackers to monetize.
Consider the revelations last month from St. Jude Medical devices and Muddy Waters. The heath care sector has embraced technology in so many ways that flaws in the devices, lack of regulations for device security, and the technology limitations to upgrade them have created a new hurdle for the industry to overcome.
The biggest barrier for the industry is not traditional IT services, but rather all the medical equipment and devices that have been out of scope, locked down by the FDA via change control, and now classified as the Internet of Things that can be exploited and potentially cause loss of life. The biggest barrier is yet to come as the health care sector is forced to secure, replace, and manage these devices with a completely unknown scope and cost and most importantly, lack of expertise.
Addressing and Overcoming Barriers
The barrier of medical device security can be addressed by a basic plan for IT security. First understand the problem. Understanding how wide spread is it, what devices are affected, and then managing the risk until permanent solutions can be found. This includes basic information technology procedures like:
- Discovery – identifying all of the devices and assigning risk priorities to them
- Segmentation – isolating high risk devices on separate networks and limiting access and communications to prevent a hack
- Remediation – when available, apply updates, configurations, and other changes to mitigate the risk
- Reporting – provide reports to technical teams and executives to quantify the risk and exposure
This barrier is no different than the technology hurdles we experienced with BYOD (Bring Your Own Devices) except that the outcome could be life threatening. That obviously places a different level of urgency on the issue to solve the problem.
Learn why Care New England selects PowerBroker to secure their desktop infrastructure in this customer success story.
For more on how technologies like privileged access management and vulnerability management can help protect access to healthcare data, contact us today.
[ad_2]