Healthcare CISO Explores A Recent Outbreak Of Breaches

From malware to phishing we ask why these attacks are hitting the headlines

Add bookmark

In the last three weeks, Cyber Security Hub has reported on three separate data breaches involving personal and medical information of possibly hundreds of thousands of people nationwide. This time it was a malware attack that exposed patient data. The week before, it was a phishing scam and prior to that — a website vulnerability.

As the latest attack continues to unfold and is still under investigation, yet another healthcare breach is emerging in the headlines. So, why the sudden increase in healthcare data breaches? Here, we explore this question and more, in a quick Q&A with our Advisory Board member and CISO Rebecca Wynn:

CS HUB: Why the sudden increase in healthcare data breaches? Or, are they just getting more press?

WYNN: There are several reasons for the increase in healthcare data breaches. Healthcare has historically lagged behind other industries when it comes to security; so essentially, healthcare has caused many of its own headaches.

For example, I consulted with a healthcare provider Q4 2018 that still had Windows 2000 servers and wanted my opinion on what they should be doing to get ready for HITRUST. Um, upgrade your servers for starters! I consulted another organization that had no dedicated information security staff so they really didn’t know what their security posture really was.

It is easy for companies in any sector, but I see it a lot in healthcare: They get so consumed with operational demands and seeing that next patient, or making that next dollar, that security gets pushed aside until tomorrow. Well, one of those tomorrows will be a data breach that makes the news, ends up in social media, and hurts your profits and bottom line in so many ways — such as in reputation which costs you MONEY!

See Related: “Incident Of The Week: Malware Attack Exposes Patient Data

There are also more regulations that have come along in the past few years around what must be reported and to whom. It just isn’t the Department of Human Services any longer. It is possible that this trend is simply an artifact of better breach detection and reporting for incidents that would have previously gone undetected or undisclosed to the public.

Also, unfortunately, we keep seeing security budgets and security personnel getting cut. There is the misbelief that just having Data Loss Prevention, a firewall, IDP/IPS, etc., in place means that those systems will sound an alarm bell that something is amiss. That has proven time and time again not to be the reality. Those rule sets and definition files are set by humans, and while you may need less staff, that doesn’t mean do away with all of the staff (or nearly all). You still need to be actively monitoring and looking at cross correlations within the data to find the malicious users of your system, backdoors where hackers can get in, or just watch for people doing things on the network that can expose data.

See Related: “Incident Of The Week: UConn Health Phishing Attack Exposes Patient Data

CS HUB: Why is patient data so valuable?

WYNN: The short answer is simple. One of the primary ways of accessing the additional information required to steal an identity is by securing an individual’s medical and health records. In addition to a person’s medical history, these records contain a lot of sensitive information such as an individual’s full social security number, their date of birth, and their parents’ names and dates of birth. It also contains a lot of information that can usually be used to answer security questions or apply for other identity documents, such as birth certificates. Stolen medical records are used for many types of identity theft, such as healthcare fraud, filing fraudulent tax returns and opening new lines of credit.

See Related: “Incident Of The Week: UW Medicine Patient Data Exposed Online

According to Experian, here are the 10 most common pieces of information sold on the dark web (the dark web operates much like the black market) and the general range of what they are sold for:

  • Social Security number: $1
  • Credit or debit card (credit cards are more popular): $5-$110
    • With CVV number: $5
    • With bank info: $15
    • Fullz info: $30

*Note: Fullz info is a bundle of information that includes a "full" package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.

  • Online payment services login info (e.g. Paypal): $20-$200
  • Loyalty accounts: $20
  • Subscription services: $1-$10
  • Diplomas: $100-$400
  • Driver's license: $20
  • Passports (US): $1000-$2000
  • Medical records: $1-$1000 (Depends on how complete they are as well as if its a single record or an entire database)

CS HUB: What can hospitals (or enterprises) do to better protect their data?

WYNN: While it is fine to look at the industry benchmark and see where you line up against your peers use those benchmarks WISELY. I once heard a COO state that he looked at 20+ of his peers and their security was nowhere near where the company has it, so he thought ‘why spend anymore than the current maintenance spend?’ That is naïve. Why would you ever want to compare yourself to a company who isn’t putting money into security, privacy, compliance, and risk management? You must ensure that your CISO has the personnel, resources, and support to protect the company. Not to do so, is asking to be in the news.

Here’s a brief checklist:

  • Cyber security framework: Do you have a cyber security framework that they will commit to including resources. I recommend NIST (National Institute of Standards and Technology) Cyber Security Framework, HITRUST (Health Information Trust Alliance) or Shared Assessments SIG (Standardized Information Gathering) for most organizations.
  • Policies and procedures: Are background checks conducted on employees? Is regular security training required? Are there clear rules in place for what employees can install and keep on their work computers, or websites they can and cannot visit?
  • Passwords: Are regular employee password changes and complex password requirements enforced? Are passwords stored on company computers, or are they written down and kept on file? Do employees understand the dangers of repeat usage of the same password? Do they rely on password management services?
  • Data security: There should be controls in place that are every bit as stringent as those in place for financial data when it comes to security, availability, confidentiality and privacy. Whether in-house or cloud-based, any systems containing health data or benefits-related data should be HIPAA compliant. Both at rest and in transit, data should be encrypted using industry-standard protocols. Two-factor authentication should be required for secure access, and all data uploaded should be scanned for viruses and malware.
  • Monitoring: Systems should be continuously monitored, and data access and system changes tracked. Beyond monitoring, businesses should conduct regular security assessments such as vulnerability and penetration testing.
  • Patching: Do you have a patch management policies, procedures and testing in place?
  • Vendor management: Are you requiring your downstream vendors to have a security program in place and are you doing a review of them? You are only as secure as your weakest link.

The simple truth is that there will never be such a thing as 100% information security. Hackers will always be coming up with new and worse ways to exploit systems and retrieve the sensitive data. You will have a malicious insider, disgruntled employee, or careless administrator that causes a data breach or leak information you rather not have been made public. But companies that arm themselves and their employees with the information, training, and tools they need will significantly mitigate the risk of a breach and keep sensitive or private health information secure. Well, at least show that you did what is reasonably expected. My motto, ‘Security and Privacy by Design & Default’ always and forever.

See Related: “Best Practices For Safeguarding Data And Managing Privacy