For healthcare, there’s never been a more urgent time to reassess your cybersecurity and identity and access management strategy. Until recently, protected health information (PHI) was the most valuable merchandise on the Dark Web. Complete healthcare records were going for $75 to $100 dollars at the height of demand according to Institute for Critical Infrastructure Technology (ICIT). In fact, there’s so much PHI on the market now that the ICIT says prices have plummeted by about half.
But even at half-price, PHI can earn a hacker more than 10 times the price of financial data. PHI is desirable because it has a much longer shelf life than financial data. But the loss of PHI is not so easily discovered. Last year, ICIT reported that healthcare organizations took an average of 308 days to discover they had been breached.
A hacker is looking for access to privileged accounts. If he/she gets them, then finding the breach becomes extremely difficult. Administrators have extensive abilities to cover their tracks. That’s why protecting privileged accounts and confidential data becomes a great starting point.
Never under-estimate your cyber-enemy and malware. They are patient, and will likely suffer no ill consequences of getting caught.
Let’s take a look at a few tactics they use to breach your data:
- Phishing – These are high-severity attacks.
- Insider threats – The best firewalls in the world don’t necessarily protect you from disgruntled employees and rogue administrators.
- Human misconfiguration – Up to 75% of security breaches are from misconfigurations – a human error made by your staff.
- Poorly secured web and/or SaaS apps – There’s simply not enough time or onsite expertise to verify or fix apps which are not properly secured or have too much access.
Healthcare companies report that the most significant barriers to their security programs are:
Healthcare Is Hit Hardest By Insider Threats
Healthcare organizations are particularly vulnerable to insider threats because of the large numbers of people who need access to their systems and the value of the data they possess. In fact, the Protenus Breach Barometer revealed that insider threats are responsible for 25 percent of security incidents at healthcare organizations, a rate far higher than that experienced by the financial sector (5 percent) or manufacturing industry (4 percent).
Insiders may not be employees, or even be on the healthcare organization’s property. Healthcare organizations need to allow patients, vendors, and third-party business partners to access their data stores. Those with direct access to PHI will be subject to HIPAA and BA requirements, but many parties may have incidental access and not be covered. For instance, a BA vendor may offshore some its work to a foreign entity that isn’t covered by or knowledgeable about HIPAA—but the healthcare organization that hired the BA is still responsible for its protection.
Be sure to read part two of our PHI series where we will cover ways to defend PHI data and mitigate attacks. For more information about how our Identity Access Management solutions can help your organization, contact us today.