Holistic Cybersecurity a Must for the Healthcare Industry

March 9, 2020
Insecurity is compounded by fragmented and outsourced nature of U.S. healthcare

Recently it was reported that a billion medical images, including personally identifying information (PII), are exposed online and medical professionals are ignoring warnings. Discovered by German cybersecurity firm Greenbone Networks, the exposure follows a similar report in September 2019 that detailed 24 million medical records on 590 online medical image archive systems. Two months later, the firm detailed the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing an egregious violation of patient privacy.

Unfortunately, most of the medical world thinks it exists in its own private cloud, which is precariously unrealistic. Most medical professionals don’t usually understand that a large part of their information is globally accessible.

Cybersecurity Takes a Back Seat

Medical companies often manage security compliance as a subset of medical compliance, and therefore cybersecurity takes a back seat. This insecurity is compounded by the highly fragmented and outsourced nature of the U.S. healthcare landscape. The need for multiple parties to have prompt access to all medical data ensures that convenient access takes precedence over basic authentication and authorization security.

What’s at stake? To start, Personally identifiable information, or PII, including billing details, as well as lab results, diagnoses, and hospitalization records. It’s no wonder healthcare tops the charts every year as the number one at-risk sector for cyber-criminals.

Healthcare Industry Data at Risk

The healthcare industry deals with some of the most valuable personal data and current efforts to safeguard sensitive data are falling short. As recently as October 2019, a hack of medical testing company LifeLabs exposed the sensitive personal information of an estimated 15 million Canadians, the largest breach of its kind ever reported in the country.

And the bad actors are using a variety of means to get that valuable data.

The medical industry was the first to be phished, over 20 years ago, and it still leads the way in data incontinence.

Ninety-seven percent of successful attacks across all industries involve some form of social engineering, and over 90 percent start with a phishing email. The more that we can train people to be security-aware, the less successful hackers will be.

When I demonstrate spoofing emails, around 10 percent of them get straight through to the prospect after they always assure me that they have perfect defenses. This is especially so in industries like healthcare and government, which explains why ransomware is so effective in crippling these critical organizations.   

Ransomware attacks can wipe out entire systems in minutes, and healthcare decision-makers have grown increasingly comfortable paying the ransom for these types of attacks. It’s prudent that organizations, no matter what their size, have a recovery plan and know what to do when they are hit. It doesn’t take a brain surgeon to recognize that planning in advance is better than making it up on the fly when you have no phones, no email, and no data.

Up to 30 percent of untrained staff are highly susceptible to the attacks that do succeed. Just like technical defenses, staff can be ‘patched’ to reduce their vulnerabilities to phishing attacks, by training them in a holistic, integrated way—treating people and systems as parts of the whole.

New Approach Needed

This kind of holistic approach to cybersecurity is essential—deploy technical defenses and ‘patch’ your staff to significantly protect assets through defense in depth.

Another major cause of data breaches in the healthcare industry results from third-party vulnerabilities. Outsourcing billing, for example, to third-party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks.

Recently Google and Ascension announced a massive initiative to aggregate the data of roughly 50 million patients and store it on the cloud. Ascension runs the largest non-profit health system in the U.S., and the second-largest health system in the U.S. Dubbed Project Nightingale, the partnership allows Google to collect troves of sensitive information from Ascension’s roughly 2,600 hospitals, doctors’ offices and care facilities.

I call it “Project Nightmare.”

The companies say it will improve patient care and administration, but neither patients nor doctors had been previously been notified of this data-sharing arrangement. Under terms of HIPAA, Google and Ascension were not required to disclose the third-party data-sharing arrangement with patients because the purpose of collecting the data was to help the health care provider better execute its healthcare functions.

To address privacy concerns, the companies stated in their joint release that Project Nightingale would be “HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.” But how can Ascension ensure that people employed by a third party that is built on exploiting personal data will adhere to Ascension’s data policies?

At this rate data breach insurance premiums will rival medical malpractice premiums – all costs being borne by paying patients eventually.

About the Author: Colin Bastable is the CEO of LUCY Security’s USA operations. Colin has been building and leading global IT security businesses for over 20 years, with expertise in startups, re-boots and turnarounds in the cyber-security space. He was part of the European management team at McAfee during their early growth to market dominance. Bastable built and led the global sales team at nCipher (bought and spun off by Thales) and was a key member of the team that took nCipher public on the London Stock Exchange, and he co-founded and led innovative MFA business Mi-Token Inc.