Forrester: Healthcare remains a ripe target for cybercriminals
As most everyone in healthcare will remember, health insurer Anthem suffered a data breach in 2015 that affected as many as 80 million patients. While healthcare did not witness a breach of that scale in 2016, numerous hospitals fell victim to ransomware attacks, and healthcare security budgets continued to lag behind those of other industries, according to Forrester Research.
The Forrester Research report, “Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2016,” one 2016 incident of note was Banner Health’s breach of 3.7 million records from patients, health plan members, café customers and healthcare providers. The breach began with a POS compromise, but the attackers then were able to gain access to sensitive personal health information, the research and consulting firm added.
Poor internal practices often lead to misconfigurations and breaches – or in the case of health insurer Centene, someone can lose six hard drives containing the records of 950,000 patients, Forrester said.
Healthcare security leaders can learn a lot from the data breaches of 2016. Forrester divided the lessons to be learned into three categories.
First, healthcare organizations must fight to maintain, even increase, security budgets. Healthcare organizations spend 23 percent of the IT budget on security; other critical infrastructure industries such as utilities and telecom spend 35 percent, the firm noted. This is a massive disparity when one considers the critical nature of healthcare services and the sensitivity of the data at risk, the firm said. Given potential changes to national healthcare policy by the incoming administration, pressure on providers to deliver better quality care at a lower cost may intensify and place further pressure on technology budgets. Forrester Research predicts attackers will target healthcare organizations equally with retailers in 2017. Thus, now is the time to invest more in healthcare cybersecurity, the firm advised.
Second, healthcare organizations should segment their networks into micro-perimeters, Forrester suggested. As in the 2013 Target breach, Banner Health’s incident began with a POS compromise and then spread because it had a legacy perimeter-based approach to security, Forrester said. This means that once the hackers penetrated the initial perimeter, they were able to gain access to other parts of the environment.
In Forrester’s Zero Trust Model of information security, the firm recommends that security professionals segment their networks into micro-perimeters, where they can granularly restrict network and user access, apply additional security controls, and closely monitor network traffic based on the sensitivity of the systems and data within it. A Zero Trust approach means that an initial breach of the perimeter doesn’t allow hackers to jump to other parts of the environment, Forrester explained.
And third, healthcare organizations must encrypt, and encrypt some more, Forrester said. Centene’s missing hard drives contained the personal information of patients, including names, addresses, dates of birth, social security numbers, member ID numbers and other health information. If Centene had encrypted the data, it would not have needed to comply with regulatory mandates for breach notification and would have protected its patients’ privacy, Forrester said. Unless criminals have also stolen the encryption keys, they can’t sell the encrypted data or use it to commit fraud. This would have dramatically reduced Centene’s breach costs and preserved patient trust.
Ultimately, business leaders must lead customer data privacy, the Forrester report concluded. In 2017 and beyond, data volumes will continue to explode through new customer engagement models that use Internet of Things sensors, devices and wearables, and an ecosystem of third-party data partners and brokers, Forrester warned. Security leaders must work with their business counterparts to understand how data flows change as the business itself changes – whether that’s new partnerships, geographic expansion, more highly personalized customer offerings, or entirely new go-to-market models.
Thus, business executives will need to take the lead on discovery, classification and data-flow mapping, Forrester advised. Security and risk teams will assist with the appropriate tools and advice on risk quantification, the firm said, but business leaders must provide the necessary context about the value of the data.