Healthcare data breaches have become an epidemic. In the past month, hackers gained access to the Louisiana Department of Health and Hospitals, health Net was fined $250,000 for a data breach and a Ponemon Study revealed data breaches cost the healthcare industry $6 billion a year. The healthcare industry needs an infusion of security. STAT!
Over the past two decades, McAfee has been helping healthcare providers around the world enhance their security posture. In talking with our healthcare customers, we have learned that regardless of location, size and other distinguishing factors, certain issues resonate with virtually every provider. The most important are securing sensitive data, protecting mission-critical systems, defending online web portals and managing the consumerization of IT.
Patient health information (PHI) has become as viral as the diseases healthcare providers treat. The HITECH Act of 2009 was designed to enhance efficiencies, but it also increases risk as sensitive PHI flows between patients, physicians, hospitals, pharmacies, labs and insurance companies, presenting multiple points of potential data leakage.
Bloor Research indicates an inside threat perpetuates the vast majority of healthcare breaches. Case in point, 23 employees of Kaiser Permanente Bellflower Hospital in Los Angeles illegally accessed the medical records of the “Octo–Mom” in 2009, resulting in a $250,000 fine.
Another issue healthcare providers face is a wide range of commercial, proprietary and legacy systems as part of their production environment. These heterogeneous operating environments are further exacerbated by the unfortunate reality of healthcare providers: they have fewer IT and security resources than other businesses of the same size.
Never before has so much information been so easily accessibly by so many. Individuals and organizations are proactively consuming information instead of passively waiting to receive it. For healthcare providers, this has manifested as self-service web portals.
However, a recent Dartmouth College study indicates that 75% of Americans are concerned about using health portals because of privacy concerns. The concern is justified, as recently as 2009 the FBI investigated a $10 million ransom demanded by a hacker who claimed to have stolen nearly 8.3 million patient records from a Virginia government web portal.
Finally, healthcare providers have been typically late adopters – but the consumerization of IT is forcing them to adapt to change more quickly. With the wide scale introduction of smartphones, iPads and laptops, the network environment is being exposed to cutting-edge employee-owned technologies. The division between IT and consumer electronics has become blurred and healthcare providers need to act now to protect their assets while facilitating this personal device revolution.
What’s the prognosis?
Data-centric solutions are essential to securing sensitive data. Host-based and network-based data leakage prevention coupled with database activity monitoring enables healthcare providers to prevent abuse and monitor how users are interacting with data.
Host-based firewalls, intrusion prevention systems and anti-malware systems are effective at protecting vulnerable systems. An alternative to black listing is white listing, a useful capability for healthcare providers with limited operating resources.
Perhaps the most applicable solution for portals are firewalls and IPS. In addition to traditional network security tools, application aware firewalls and web application firewalls can protect against a broader range of threats such as SQL injection and cross-site scripting.
Managing consumer devices falls into three categories: managing access, managing devices, and controlling where sensitive data resides. With various consumer device controls connected to the data-centric security controls outlined earlier, it can be ensured that no sensitive data remains persistent on the consumer device or “leaks” out of the environment.
Security for healthcare providers isn’t a black box, a service you can subscribe to, or a piece of hardware to be installed. It is a combination of data, system, network, application and consumer device solutions that incorporate services and best in breed partnerships.
Security Connected has the framework to work within the resource constraints and the special business characteristics of these healthcare providers. With connected, intelligent systems that promote operational efficiencies and sustainable compliance, the healthcare industry can revive security to excellent condition.