- While it may seem that not a month goes by without a massive healthcare data breach taking place, implementing stronger health data security measures can go a long way in breach prevention. It’s important to start at the bottom – with the basics, according to Kurt Baumgartner, principal security researcher at Kaspersky Lab.
When healthcare organizations can build up their health data security measures and privacy measures from the bottom, it can help to avoid cyber attacks, Baumgartner said, adding that he doesn’t necessarily believe in the idea that “It’s not a matter of if, but a matter of when,” in terms of data breaches occurring.
“When you’re talking about the medical industry itself, you’re looking at extremely valuable and sensitive information,” Baumgartner said. “It’s not as if that sort of data wasn’t being sought out before. Not only has the legislation tightened up around the disclosure around breaches, but there has been a more rapid adoption of newer technologies in the medical industry that helps increase the amount of attack services that the industry is exposing to the attack groups.”
Essentially, the medical industry is not necessarily coming under more cyber attacks, he said. There is more legislation in place, which ensures that organizations announce that a data breach took place and then begin to take the required steps to recover after the fact. There have been changes in the last year, but it doesn’t necessarily have to do with the fact that the medical industry – or any industry – is coming under attack more than it was a year ago, Baumgartner said.
In terms of the Anthem data breach, Baumgartner explained that those cyber attackers were sophisticated, and fully versed in spear phishing and the subsequent lateral movements required to gain access to the network.
“Organizations can train their people on spear phishing awareness,” Baumgartner said. “They can carry out regular ‘red team’ exercises and can help people better understand what to look for and how to reasonably handle their emails.”
Conducting necessary training exercises on an ongoing basis are key, according to Baumgartner, and penetration tests can also go a long way in helping healthcare facilities find potential network weak points. Seeking out assistance from appropriate third-parties will also help facilities improve their health data security. Whether it’s a third-party review of a data system or even help with auditing, finding supplemental help could be essential.
“The healthcare industry is going through a true rubber hits the road moment,” Baumgartner said. “As [organizations] adopt things more rapidly to decrease expenses and overhead, they’re learning that it can be done – things can be kept updated. But there’s a base of things they need to attend to.”
For example, Baumgartner explained that as new technologies are implemented, if the necessary security and privacy precautions are not also taken, then those implementers will learn their lesson the hard way.
“I think [in terms of healthcare] data security, we’re going to see more incidents and more disclosures over the next year,” he said. “But I do think the bases are going to improve. Whether that’s with a new password policy or network segmentation I don’t know. But on a basic level, things are going to be improving.”