- No healthcare organization wants to receive notification that there has been unauthorized healthcare data access at the company. Not only could this potentially expose patient information, but it could result in potential fines for the organization for lackluster data security measures.
That’s what the executives at 21st Century Oncology experienced last November when they learned that “unauthorized third parties” had accessed their database of patient names, Social Security numbers, treatments, and insurance information. They then had to keep the incident quiet during the four-month FBI investigation.
In November 2015, Owensboro Health, a Kentucky hospital, learned of a major data breach that had been ongoing for three years from – you guessed it – the FBI.
For healthcare companies that store sensitive data, which call from the FBI means your information security program and processes have likely broken down and the data stolen has made its way into the cyber criminal underground. Or it perhaps has been used in some second order crime that caught the attention of the Bureau. This activity will raise the stakes (and the cost) of recovery.
Identifying network and data security challenges
The reasons why organizations struggle to identify compromises of their network and data is because they’ve been conditioned to think of threats and risk as coming from outside the organization, rather than inside.
We watch our firewall logs and IDS sensors for warnings. We monitor our endpoint security products for alerts about malware infections. But too often, the threat is already inside our organization and has gained unauthorized access to sensitive data.
There are many possible avenues. Credential theft that is secondary to phishing or malware attacks is common.
At the last South by Southwest conference, John Halamka of Beth Israel Deaconness Hospital in Boston talked about phishing attacks aimed at staff in which attackers set up a website to resemble Massachusetts General Hospital’s payroll portal. Employees received an email asking them to log in to the site to authorize a bonus payment.
Malicious insiders are another, major threat. The shift in online behavior that marks an employee’s transition from doing his or her job to engaging in malicious or criminal acts is subtle. In many cases, malicious and legitimate actions are identical. What matters is the context or a larger pattern of behavior into which a discrete act fits.
Finally, well-meaning employees may inadvertently provide an opening for attackers or thieves. Sensitive data might be copied to cloud services or emailed out of an organization in the effort to streamline exchanges. Employees may choose to copy data to a laptop to work on at home, only to have that hardware stolen.
In fact, data stored in unencrypted form on employee laptops that are lost or stolen are one of the biggest sources of violations of data privacy laws like HIPAA.
What is the solution? Unfortunately, there are no easy fixes. But, there are many small steps that organizations can take to move toward comprehensive data security. Here are a few:
Identify your sensitive data
The table stakes are that organizations must know what sensitive data they store and where it lives on their network. This is harder than it sounds. Organizations might consider their “sensitive data” as that which is immediately relevant to their business, such as product designs, marketing plans and sales figures. Companies often store sensitive or regulated data that is not core to their business, but that must be managed. As an example, a Verizon study found that 90 percent of the surveyed 20 industries had experienced a PHI data breach. This means that these incidents reach farther than just healthcare organizations.
Monitor patterns of data access
Once organizations know where their data is, they need to be able to analyze and monitor the behaviors of users who are accessing that data. The goal is to be able to identify behaviors and actions that put organizations at risk. For example, are users accessing a database of patients and doing so in a manner that is consistent with their job and their peers’ jobs? Or are they engaged in bulk copying (or deletion) of patient records? Are employees who sip data from different applications or file servers suddenly guzzling it? If so, why?
Identify and contain external risks
Companies are increasingly opening their networks to business partners, third-party contractors (including cloud application and storage providers) and even to their customers. To fully address your risk of data theft, you must understand the web of connections to and from your sensitive data. Are there business partners or contractors with access inside your environment? If so, how tightly drawn are those access permissions? When do they expire (or have they already expired)? What cloud providers do you rely on? What data lives on their infrastructure and what security exists to protect data in transit and at rest?
As security professionals, we can aspire to stop every possible security incident or data breach. That’s a fine goal.
But the reality of our jobs is that containing security incidents and protecting data is an equally important (and growing) requirement. Visibility into the patterns that define how your sensitive data is being accessed and the ability to spot anomalies in those use patterns are critical to reducing the duration and, therefore, the severity of breaches, malware infections and other adverse incidents.
Deepak is the Director of Security Strategy at Imperva where he leads the efforts of the Imperva Defense Center. Over the years he’s focused on security best practices, digital forensics, secure application architecture and design. He is an avid blogger and public speaker for industry shows around data security and compliance.