By: 

Prioritizing Privilege to Protect Patient Data

The risk is that with so many access points, there is the high potential for exfiltration of data.
09:58 AM
Cybersecurity employees in a control room.

Digital transformation is changing healthcare by providing caregivers the technology needed for better care while improving the patient experience. From the establishment of electronic health records to the adoption of cloud-based applications, AI-driven doctor assistance and even telemedicine – care is being reimagined.

However, while digitized medical ecosystems can dramatically improve healthcare systems, it also introduces new pain points: Vulnerabilities in software cyber attackers are eager to exploit.

In healthcare, the digital transformation has occurred so successfully that almost every individual within an organization — from doctors and lawyers to support staff and operations — has a touchpoint into networks and other technology-backed systems. The risk is that with so many access points, there is the high potential for exfiltration of data, especially those consciously or unconsciously occurring because of vulnerabilities with privileged escalation— which is administrative-level access to all kinds of vital data about patients and the organization.

Why Healthcare Draws So Many Cyber Attacks

Healthcare has always been one of the most attractive markets for cyber criminals. Today, the modernization of networks, increase in merger and acquisitions (M&A) and Internet of Medical Things (IoMT) makes them an attractive target for cyber attackers.  Add the need to share information between organizations

Consider that nearly two-thirds of non-acute and vendor organizations have experienced a security incident in the past 12 months, according to the 2019 HIMSS Cybersecurity Survey. These incidents are initiated by both bad actors and negligent insiders.

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) was notified of 351 data breaches of 500 or more healthcare records, resulting in the exposure of more than 13 million healthcare records in 2018 alone.

It is clear that the healthcare system has become a target for cyber attacks. Much of the appeal of targeting electronic personal health information (ePHI) has to do with the breadth of information that data holds as well as the susceptibility of the medical industry that has not prioritized digital security as it has evolved.

As opposed to a credit card data breach, healthcare information can be a lot more valuable to an attacker with birth dates, social security numbers and information on illnesses a person possesses.    Information about an illness can be used against prominent corporate and government leaders. Also, medical identity fraud takes longer to detect compared to other types of fraud.

The intent of these targeted cyber attacks can vary – whether it’s to cause a DDoS attack or  identity fraud in the healthcare system, drive blackmail schemes or hold hospitals and healthcare providers for ransom — not to mention the potential dangers inherent in vital, lifesaving medical devices being as connected to the cloud and networks as a mobile phone.

A Strong Proactive Response to Increasing Attacks

In an effort to improve safety and security, regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health HITECH and the General Data Protection Regulation (GDPR) in Europe target compliance for organizations using ePHI.

The cost is steep for those who don’t make the protection of health data a topmost priority; non-compliance by Florida-based Memorial Healthcare Systems in 2017 resulted in a $5.5 million payment to U.S. Department of Health and Human Services.

The fine was due to the failure of the organization to review access controls and examine audit logs, and, most neglectful, giving unauthorized employees access to private patient information through shared login credentials.

Put simply, the organization had failed to secure privileged access to critical systems and patient data – and paid dearly for it.

Privileged access security solutions can support providers’ ability to comply with regulations, avoid financial disaster, and, by extension, keep patient information safe.

Healthcare organizations need privileged accounts and credentials for administrators to access applications or data, or for devices to access the systems created by the technological advances of the past two decades — especially ePHI.

With the ever changing digital landscape, Cyber attackers continually seek, use and escalate privileges to achieve their ill-intended goals.

As hospitals and healthcare ecosystems continue to grow in size and complexity, providers must put an emphasis on protecting highly targeted ePHI. According to industry experts, protecting privileged access is the single best way to mitigate risks associated with ePHI theft, and the people and devices who can access it.

About the Author: Bryan Murphy, Director, Consulting Services – Americas, at CyberArk.