This article was originally published on Cyber Defense Magazine
Like many other major industries, the healthcare industry too is under constant attack from cybercriminals. Healthcare organizations have a huge repository of patient data like name, phone number, email address, and medical history. Apart from personal information, they also store payment details which hackers can misuse for monetary gains.
Recent attacks on healthcare organizations have shown that cybercriminals are using sophisticated techniques to hack into secure networks and exfiltrate data. While cyber attacks are one part of the problem, the healthcare industry also suffers from a huge percentage of internal threats.
These threats could be employees with malicious intent or unintentional actions by employees which directly compromise an attribute of a security asset. If the healthcare industry wants to protect itself, both these threats must be prevented without compromise.
State of Security in the Healthcare Industry
Due to sensitive nature of the data that is at stake, the healthcare industry in the US must comply with HIPAA (Health Insurance Portability and Accountability Act of 1996). The legislation recommends a set of guidelines which ensure that healthcare organizations implement physical, network, as well as process security. However, it is becoming increasingly evident that limiting cyber security to just HIPAA compliance is not enough anymore.
According to the Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR), 70% of incidents involving malicious code were ransomware infections and a whopping 58% of incidents involved insiders.
While an internal breach could be just employee curiosity and may not always be malicious, it leaves sensitive data open to misuse. Unauthorized internal access to patients’ personal information provides a convenient means to commit fraud of various types. Regardless of the intent of the breach, securing data should be of prime concern to any healthcare organization.
Taking a Zero Trust Approach to Security
Most healthcare organizations have traditional cyber security systems which rely on protecting the perimeter using firewalls, while assuming all communication within the network is safe and authorized.
Threat actors are taking advantage of this assumption and using sophisticated attack vectors – like phishing, fileless malware, ransomware, zero day attacks – to enter the network. Once inside, they’re able to remain undetected for months since security operators have very little visibility of East-West traffic. Apart from hackers, the high percentage of internal threats from employees is also looming security concern.
In the event of a breach, a healthcare organization stands to lose not only their patients’ personal and financial details but also private and sensitive data like:
- Medical history
- Social Security/National Insurance numbers
- Medical device or serial numbers
- Biometric data
- Full facial photographic images or images that have unique identifying characteristics
- X-rays and diagnostic images
To defend against external and internal threats, the most reliable course of action is to implement a zero trust security architecture. The zero trust security concept is based on the premise that no connection is trusted unless it has been explicitly allowed.
Adopting zero trust security marks a paradigm shift from reactive to proactive security, wherein the goal is to prevent the breach rather than ‘react’ after it has happened.
How Zero Trust Security Can Make a Difference
To create a zero trust network, healthcare organizations cannot depend only on network level segmentation which uses VLAN/ACLs and internal firewalls. Maintaining access control lists and updating thousands of firewall rules on a regular basis in a dynamic business environment is cumbersome, operations-intensive, and error-prone – not to mention the high cost of maintenance and upgrades. Lack of East-West traffic visibility is also a major issue with hardware centric segmentation.
Zero trust security, on the other hand, can be implemented using software-defined micro-segmentation, which provides organizations with complete visibility of all network traffic across bare-mental and hybrid cloud environments. Essentially, healthcare organizations will be able to segment individual users, applications, and workloads to drive down intent-based security policies to the host level.
This means that every single person or application which connects to the organizations network – be it an employee, service provider, third-party vendor, or insurance partner – can be granted specific access based on the security policies of the organization. Any attempt to access unauthorized data by a prospective threat actor is immediately prevented and flagged, drastically reducing the attack surface.
To prevent employees from accessing sensitive data, healthcare organizations will be able to enforce strict security policies that define and limit the access of individual employees. Visibility combined with software-defined micro-segmentation will allow the security operators to record any deviation in behavior, which can then be investigated and used to fine tune the security policy.
Cybercriminals have evolved to develop advanced malicious code that can circumvent perimeter security and remain undetected. Attack forensics are also confirming that hackers are using sophisticated mechanisms to exfiltrate data. Unless the healthcare industry is willing to take a serious look at the inherent vulnerabilities of traditional network security systems, sensitive patient data will remain at risk.
Learn how ColorTokens can help healthcare organizations stay protected and compliant.