- No one wants to experience an active security situation. A data breach will result in numerous sleepless nights, big expenses, and lots of lost confidence. The challenge, however, is that healthcare data is just so valuable.
In the 2017 Ponemon Cost of Data Breach Study, researchers found that the global average cost of a data breach is down 10 percent over previous years to $3.62 million. The average cost for each lost or stolen record containing sensitive and conﬁdential information also signiﬁcantly decreased from $158 in 2016 to $141. However, in the healthcare world those numbers were much different.
The Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. While the average global cost per record for all industries is $141, healthcare data breach costs are more than 2.5 times that global average. Financial services came in second with $336 cost per record.
So if a breach happens, right now, what’s your response plan? Do you even have one? Are you prepared to ensure you can mitigate the risk and respond?
In working with a variety of healthcare organizations (both large and small), I’ve found that the first, and very natural, response is to get back to operating status as quickly as possible. And, although bringing service back to an operational state is absolutely critical, we can’t forget the forensic and security analytics process.
With that in mind, it’s truly important to make sure you understand the cause of the breach, and not just work towards an immediate cure.
Data, logs, and analytics
Analyzing logs isn’t just for managed services practices or trying to troubleshoot user issues. New solutions around log aggregation and data analytics allow you to look deep inside of your network and understand the flow of data. Furthermore, some of these tools will proactively notify you if there’s an issue. That being said, if a breach happens or you’re in the process of experiencing one, begin to follow your response protocol. However, if you have a good log and data analytics platform, you’re one step ahead. You’ll be able to quickly analyze which part of your infrastructure was breached and then better understand why. Remember, many new SIEM (security information and event management) solutions can even give you forensic functionality to better analyze key data points.
This is an important point to note. Risk within your environment should be weighted based on the type of system and what data it houses. This means that if some small part of your environment gets breached, what risk does it pose? Is there PHI data there? Can the breach spread? If you assign risk appropriately to your internal and external system, you’ll be able to create response and mitigation plans much more appropriate to that specific data point or resource. This level of deeper understanding will also allow you to secure those systems more effectively. So, if a breach happens on a key platform, you should be able to contain that risk quickly while still leveraging logs and analytics to understand what happened.
Root cause analysis
New solutions allow you to quickly get to root cause issues within your environment. The great part here is that these reports can help before and after a potential breach. This type of analytics approach can examine failures within the network that are related to configurations, patch levels, and even updates. From there, you can better understand risk vulnerabilities and respond accordingly. Of course, you want to get to a state of operation quickly when a breach happens. However, in combination with a good logging and data analytics platform, root cause analytics help you understand what happened quickly while still remediating the issue.
When focusing on the cause of a breach, you will have to first contain it. This means plugging up the hole, updating the firmware, or removing an infected device. However, before you do, you contain the issue in an isolated environment to really understand what happened. In these cases, sandboxing technologies are great, virtually segmented VMs is a great idea, and even examining pieces of equipment offline. Containing a breach can happen in a number of different ways. Not all breaches happen virtually or via the cloud. In some cases, it can be a USB device, a disk, or even an entire server that needs to be reviewed. Similarly, you may even need to isolate an entire segment of your network to investigate the breach.
You don’t have to go through the remediation process alone. In fact, I highly recommend that you do not. Security partners will help you with the forensic process and help you identify what in your network was flawed. A good security partner relationship will actually help you recover from a breach faster and allow you to better understand what happened. In the healthcare world, timing around a breach is everything; so have a good partner on speed dial.
A breach can happen for so many reasons. In some instances, negligence or a user mistake are at fault. In other cases, there is criminal intent. Either way, there are some absolute musts when it comes to securing your environment:
- Always monitor and manage your security policies.
- Keep your software and hardware up-to-date.
- Your logging and auditing system can absolutely save you if there is a security event.
- User, admin, contractor, guest policies, groups, and identities must all be managed and reviewed.
- Train your users to be first responders.
If a breach does happen - stay calm. Start collecting your evidence and work with a security partner to help remediate the damage. The biggest piece of advice when working with a healthcare breach is to learn as much as possible from what happened.
Remember, having powerful security policies and technologies within your environment might still not make you 100 percent secure, but it’ll help you respond much more quickly. Furthermore, leveraging good analytics platforms will allow you to look at your infrastructure from a different perspective, while allowing you to identify flaws and potential issues.