- As covered entities and business associates of all sizes work to protect healthcare data, there are numerous aspects to consider, especially as cybsecurity threats continue to evolve and become more sophisticated.
We often focus on major security incidents, their impacts, and what this means for the industry. Today, security breaches are happening at alarming rates where attackers are emboldened by the value and availability of data.
In fact, your medical information is worth 10 times more than your credit card number on the black market, according to a Reuters article on healthcare security.
The article goes on to say that cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
As the article points out, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company.
He obtained the data by monitoring underground exchanges where hackers sell the information.
According to Cisco, the current market around cybercrime actually ranges between $450 billion and $1 trillion per year.
Further estimates expect this number to increase.
So how much is your data actually worth? Consider this:
- Social Security Number: $1
- DDoS as a Service: About $7/hour
- Medical Records: >$50
- Credit Card Data: $0.25 – $60
- Bank Account Info: >$1000 (Depending on the type of account and balance)
- Mobile Malware: $150
- Malware Development: $2500 (commercial malware)
- Spam: $50 for about 500k emails (depending on number of emails and destination)
- Custom Exploits: $100k – $300k
- Facebook Account: $1 for an account with at least 15 friends
These numbers give us a perspective of how much hackers can make off of your data. But what does it actually cost a business to experience a data breach or loss of vital information?
New findings from Juniper Research suggest that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015. Furthermore, the average cost of a data breach in 2020 will exceed $150 million, as more business infrastructure gets connected.
Let’s pause here for a moment and take this all in.
As the reality sets in, I need to make one thing very clear: The threats against your healthcare data center are NOT going anywhere. In fact, they’ll likely get more ferocious and sophisticated.
There are a lot of ways to combat these threats and, at the very least, mitigate the risks associated with a breach or an attack. Many of these strategies revolve around upgrading physical gear, improving virtual systems, and integrating better management tools for the healthcare environment.
However, what we don’t often discuss is the user.
I’m not talking about just anti-virus or BYOD policies. Specifically, user training can be a huge help to healthcare security. In my experience in working with a variety of local and national healthcare providers, those with the most trained users usually have the fewest security incidents.
So, with that in mind, let’s look at some best practices around end-user management, training, and what tools can be used to better support end-user security.
Training, basic security, and educating the end-user
The idea with healthcare security is pretty simple: “Take action now, or pay later.”
Given these new types of advanced attack vectors, one way to help prevent a security incident is to use next-gen anti-malware software and utilizing good data protection methodologies.
I would highly recommend looking at new types of end-point detection and response (EDR) as well as new types of endpoint protection (EPP) solutions. It can help guard against known threats and other kinds of malware incidents. Most of all, they can protect users from zero-day attacks and even sandbox unknown attacks against and environment.
Here’s another easy one - taking advantage of the popup blocker functionality in web browsers is a great way to help guard against things like phishing, malware, and even ransomware attacks. Popups sometimes contain malware or lead to malicious websites.
In addition, you need to educate healthcare employees about the importance of avoiding any websites marked as potential security threats by their web browsers or anti-malware software.
You also need to educate employees about how to spot incoming threats. Let them know what they should and should not do:
- Do not open any email attachments that you are not expecting. If the email is from someone you know, check with that person first before opening the attachment.
- Do not click any links embedded in emails sent from unknown sources. Even if you know the person who sent the email, check the link before clicking it. Hover your cursor over the link to see the address of the website that you will be taken to. If the website address seems suspicious, perform an online search to see if it is associated with any cybercrimes.
- Use anti-malware software.
- Back up your files regularly.
- Be cautious around peripherals. USB keys need to verified and arrive from known sources. Don’t plug something in your found somewhere into a healthcare machine.
- If users are mobile, don’t log in from unsecure wireless locations. Create secure hotspots if needed or utilize secure network to access data.
Finally, holding regular security seminars is actually something many users welcome and enjoy.
Remember, these are steps they can take to secure both their workplace environment as well as their home networks.
Holding basic security workshops with different user-focused themes is a great way to interact with the end-user community and help ensure security is top-of-mind. This level of interaction between security and the user helps create a more cohesive IT atmosphere where everyone is focused on security.