- Dominated by what seemed like an almost endless parade of data breaches, 2014 was a rough year for healthcare data security. Despite attacks against retail, media and financial institutions commanding headlines, the healthcare sector was hit particularly hard, quietly accounting for 43 percent of all major data breaches. This trend isn’t likely to reverse course in 2015, and it isn’t just going to be bad; it will likely be terrible.
The healthcare industry vertical isn’t like most when it comes to cybersecurity. HIPAA says there have to be controls in place that protect patient privacy by restricting who can see electronic medical records (EMR). Because of the wide variety of mitigating circumstances, healthcare data access controls will always be reactive. The speed with which the healthcare sector has had to move to EMRs has exacerbated the security problem.
The current and future challenge will be making sure that the user viewing the data is not only the right person at the right time with the right relationship to the patient, but that they aren’t actually an attacker leveraging valid credentials stolen using social engineering to impersonate the user. Medical information is most often stolen for identity theft and fraud.
How big is the problem, and how bad will it get?
The attack surface that healthcare information security professionals must protect has quickly grown out of control. EMC’s “The Digital Universe” report points out that 93 percent of data healthcare organizations hold requires protection.
Take hospital equipment, for example. Many machines store patient ID information obtained from a bar code or QR code on the patient’s wrist. These machines attach to patient intake and billing systems that are connected to the Internet. Further expanding the attack surface is an extended partner-supplier-services ecosystem with connections to healthcare systems, and data and remote access by a wide variety of healthcare providers and patients using patient portals.
The FBI has weighed in, saying it has “observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).” A future that promises wearable technology and remote patient monitoring will provide even more new attack vectors.
There are many excellent security practitioners in the healthcare space, all of whom work extremely hard with the resources they have. Yet, they are saying the same things:
- In an emergency, healthcare givers treat first and ask about appropriate data access later. This adds a layer of information gathering and validation during incident response.
- There simply aren’t enough security practitioners.
- There are too many alerts and not enough context.
- HIPAA/HITECH has kept many major providers focused on compliance more than security.
It’s not helpful that salaries for information security professionals in the healthcare sector rank near the bottom (education was the lowest) when compared to other verticals across experience levels.
Which security problem should we tackle first?
Preventing attacks is impossible, as the attack surface is simply too broad. All of these systems, partners, patients and healthcare providers require access to data and some form of authentication to gain access. Employees will continue to fall victim to social engineering schemes and will continue to hand over their credentials to attackers, allowing attackers to get deep into networks and stay for long periods of time. However, there are a few things we can do:
- Additional vetting of partner security policies and architectures as part of the initial selection process can help to weed out partners and suppliers with weak security.
- Adding security training to patient portals is cost-effective and can help with awareness and patient education. Pushing a three-question survey about data security to patients isn’t onerous.
- Additional security training for employees should be required quarterly. There are a number of good training modules on the market.
That said, better detection of suspicious user activity is where real improvements can be made. User behavior intelligence is a new category of solution in the security space. Today, security professionals react to a wide variety of point solution security alerts and try to link them to specific users across a timeline. User behavior intelligence solutions turn the detection paradigm on its head by looking for anomalous user activity and then attaching security alerts to the individual(s) who accessed the system at the time of the alert. This new approach has a role to play in reducing workloads and detecting the attackers that quietly make it through defenses by impersonating users through the use of legitimate credentials.
A good user behavior intelligence solution should, at a minimum:
- Be able to use existing log management data without having to replicate it into an additional storage system adding cost and complexity;
- Watch for and score each anomalous behavior and access characteristic;
- Create an additive risk score for each set of user account credentials;
- Alert the user about sets of credentials that reach a particular score threshold for immediate follow up;
- Track the user credentials across systems, identities and IP address changes, and assemble activity timelines for each user session from log on to log off;
- Have a simple user interface that also supplies credential owner contact information for immediate follow up.
Incident response teams are overwhelmed with false positives that often take them down a path to the wrong root cause analysis. This will get worse as healthcare organizations progress toward their electronic healthcare record goals, and as they implement healthcare technologies and remote patient monitoring to lower patient care costs.
The information security analyst shortage means more professionals will enter the field with less real world experience, which means seasoned professionals will get even more escalations. Simply put, for 2015 (and likely 2016) organizations will have to put solutions and processes in place that help them respond faster with less expertise.
Whether you’re a payer, provider or supplier in the healthcare industry, the focus needs to be on damage containment in an environment that’s always on. It’s unrealistic to think about shutting down network zones inside healthcare IT environments, but it may be reasonable to shut down sets of access credentials that are behaving badly and automate some of this as part of an incident response plan. In addition, the incident response team needs to focus its initial response less on malware analysis and more on common attacker activities. This is not a subtle shift, but when teams focus on the white space between activities in the traditional attack chain, they can easily see that credential use and attainment is common across most of them. Once healthcare data security response teams identify the set(s) of credentials used to carry out attacks, they can trace them back to the systems that were touched by attackers and then to the malware for eradication.
Nir Polak, CEO and co-founder of Exabeam, is a 13-year enterprise information security veteran with a broad range of executive experience including setting company strategy, driving execution, building new products and bringing them to market, and providing exceptional client services.