– We’ve had the chance to discuss all of the amazing new solutions and technologies impacting the healthcare world, as well as healthcare data security.
We know that IoT, telemedicine, and new healthcare services are all affecting the way we deliver care to people all over the world. All these new solutions are great, and they help save lives. But we must also consider potential healthcare data security threats.
These new healthcare services are increasing the amount of data we process through the data center. The latest Cisco Cloud Index report showed that annual global data center IP traffic will reach 20.6 zettabytes (ZB) by the end of 2021, up from 6.8 ZB per year in 2016. And, the global data center IP traffic will grow three-fold over the next five years.
That said, let’s switch gears to trust and security in the healthcare world. Despite all of the latest announcements around data breaches and healthcare data security challenges, we as healthcare consumers genuinely want to trust our providers.
In fact, research from Accenture shows that a significant majority of consumers (88 percent) trust their physicians or other healthcare providers to keep digital healthcare data secure. Furthermore, nearly the same percentage of people trusts their pharmacy (85 percent), the hospitals they visit (84 percent), their health insurance company (82 percent) and diagnostic labs (82 percent).
Still, having trust in healthcare organizations can sometimes come at a price for both the provider and the consumer. Remember, these organizations are constantly processing digital healthcare data, which may include their Social Security number, contact information, electronic medical record or health insurance ID. And, despite our efforts, this data is still being stolen.
To that extent, it’s important to understand some of the biggest security challenges impacting today’s infrastructure and data center operations. In the latest AFCOM State of the Data Center report, we found that the top five security and infrastructure threats to respondent are serious concerns across numerous industries. Specifically, these top five threats are:
Ransomware. I’m sure you’ve heard of a number of healthcare instances where ransomware was a serious issue. To be quite clear, it still is. Web links, and more specifically email, have been huge threat vectors when it comes to ransomware. It’s absolutely critical to control user devices, how they connect, and the types of links users are clicking on. When it comes to ransomware, you can employ good security at the border and for user devices. Email security, next-generation firewalls, and even web security gateways can all help with ransomware threats. However, if you find yourself in the ransomware boat, here’s a tip: Whatever you do, try your very best NOT to pay the ransom. Try to rebuild the files. Look for an available encryption decoder; many forms of ransomware have been successfully decrypted. Work with security partners to help you mitigate the spread of the attack and possibly help you recover the data.
Outside threats (human). Whether it’s malicious or not, people are a threat. These threats come from a doctor who accidentally clicked on a link while using a corporate device. Or, it might be a malicious attack against a healthcare system. Both are dangerous and both can have serious repercussions. Make sure to leverage good technologies which can interrogate devices trying to connect and even work to isolate network connections. Most of all, follow the flow of data. We’ll touch on this in a minute.
Advanced Persistent Threats (APTs) – Theft of IT and Corporate Data. Preparing for APTs is like saying “expect the unexpected and be ready for anything.” Theft of IT or corporate data can mean everything from a lost physical stolen laptop to someone downloading a sensitive spreadsheet onto a thumb drive and simply walking out. To say that you can cover all of your bases would be foolish. I have yet to find the silver bullet that can overcome some of the most advanced threats out there. However, you can mitigate your risk and even identify theft quickly. Ultimately, good security practices will prevent simple security errors. Lock your sensitive devices down, track them if needed via tools like Bluetooth beacons, and ensure that your endpoints are locked down as well. Prevent anyone from inserting USB keys unless cleared by your IT team. To combat APTs, you’ll need to employ a few strategies; ones that revolve around both physical and logical requirements.
Loss of PII/PHI. Losing patient information in any amount is never a good event. However, it’s going to happen. Remember, the value of healthcare data continues to increase. In fact, the value of healthcare data is higher than any other industry. Ponemon Institute recently calculated the average healthcare data breach costs to be $380 per record. While the average global cost per record for all industries is $141, healthcare data breach costs are more than 2.5 times that the global average. Financial services came in second with $336 cost per record. Knowing this, it’s absolutely critical to work with solutions which help monitor data loss, help with incident detection, and even help with advanced endpoint security (like endpoint detection and response). Most of all, know where all of your data repositories reside and how they’re secured. Oftentimes, loss of data comes from poorly secured systems, machines, and data storage practices. Furthermore, there are always challenges in how you allow employees to store data on their personal devices. Remember, good mobility and BYOD security practices can really help reduce data loss threats.
Distributed Denial of Service (DDoS) Attacks. This made the top five and is actually a legitimate threat. There’s a saying when it comes to designing modern service level agreements: “Slow is the new down.” So, even if your systems are “up,” if they’re performing poorly, they’re as good as useless. If you’re a large healthcare provider, leverage DNS services which can help mitigate and even quickly resolve any kind of DDoS attach. Furthermore, you can place your most critical applications behind web application firewalls (WAFs). This helps secure your apps from various types of threats and even DDoS attacks.
Healthcare organizations are a constant target. As we continue to deliver new types of services, healthcare data will only grow in value. This means that security leaders must always see the big picture when it comes to security and work with good technologies which meet specific needs.
The best piece of advice I can give you is to work with both IT personnel and healthcare providers when creating a security strategy. The last thing you want is a monolithic or rigid security architecture which disenfranchises, potentially, both the doctor and the patient. I’ve found success in testing systems out with champion groups and focusing on improving healthcare workflow, while still leveraging security solutions.
Whether you’re trying to secure an email system or design some kind of secure file storage platform, know that there are good technologies and partners that can make this entire journey easier. At the very least, never be afraid to test and pilot new security solutions as long as they align with your workflow and healthcare delivery services.