Has the Healthcare industry truly learned anything from the 2015 Anthem breach?
Judging by the results of the latest Security Scorecard report, the industry is still unprepared to face existing and known Cybersecurity risks, let alone counter emerging risks presented via expanded mobile and IoT threat vectors. Security Scorecard collected data from 1,200+ Healthcare companies and 1) found how the industry performs relative to other major U.S. industries and 2) uncovered absolute weaknesses within Healthcare organizations.
Key takeaways from the study:
- Compared to 18 major U.S. industries, Healthcare ranked a woeful 15th in its Cybersecurity preparedness (just above Pharma, Telecom, and Education).
- For added context, Healthcares Electronic Protected Health Information (ePHI) patient medical records can fetch as much as $100 each on the Dark Web, (continuing to) provide the demand side of the equation that fuels hackers to exploit this relatively poorly protected industry.
- Healthcares poor Endpoint security (ipads, PCs, other mobile / smart and IoT devices) potentially poses threats to patient data confidentiality.
- As is the case with many facets of personal and professional life, functionality and convenience too often trump security concerns, and many industries should consider reversing that arrangement.
- Its too easy for a hospital staffer to become blase about accessing or storing patient medical records on a mobile tablet for the sake of efficiency in doing their job. But how concerned are they about device security? Are the devices frequently audited or scrubbed to remove personal data? Are the devices storage encrypted in the event of loss or theft? Is the data encrypted at rest as well as in transit? Are the devices programmed with just enough or excessive records access control?
- Workers within healthcare receive numerous social engineering attack attempts, trying to get the user to click on malware that may lock up systems.
- All businesses should mandate cybersecurity awareness training, putting employees through simulated phishing attempts, so that they can fail in a safe space rather than endure the consequences of an actual attack.
- Another highly recommended measure is active IP filtering that runs all internet activity through a master filter, preventing access to identified malicious web sites, thus preventing the download and installation of ransomware / viruses.
- Healthcare organizations continue to struggle with timely deployment / installation of essential security patches. The May 2017 WannaCry ransomware malware took advantage of this failure to install updated security patches, and caused widespread damage, notably to Britain’s NHS hospital system.
A frequently cited refrain as to poor Healthcare patching cadence is the lack of resources to implement solutions or ability to respond to the sheer number of patches deployed by system vendors. Security Scorecards report brings home the point that Healthcares continued failure to monitor its systems, and actively implement security patches brings organizations out of compliance and thus liable for negligence claims and lawsuits.
An essential step is to audit your various software and hardware assets as well as security procedures via a thorough security assessment. Identify and ultimately address vulnerabilities in your systems as well as reveal gaps you may not have known to previously exist.
RSI Security is a premier HIPAA compliance consultant and cybersecurity provider, contact us for a free security assessment scan that will identify gaps in your current cybersecurity infrastructure, and engage with us on strategies to remediate those gaps.
About RSI Security
RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).