Healthcare Data Is The Holy Grail for Cyber Thieves

Uploaded on 2016-02-03 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

While some incidents are a result of lost or stolen files, sophisticated hackers looking to lift the treasure trove of information found in health records are now the leading cause of data loss

The threat isn’t likely to ease. Cybercrime is a “growing $6 billion epidemic that puts millions of patients and their information at risk,” according to a report on healthcare data security published last year by the Ponemon Institute.

To counter the growing threat, providers need to rethink their security strategies.

Rapid rise in medical identity theft

No longer are virus scanning and intrusion detection software sufficient.
“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things,” says Ronald Mehring, chief information security officer (CISO) for Texas Health Resources. “We’ve seen that with a multitude of breaches across organizations that have strong programs.”

The key, say experts, is a complex solution of multiple defense layers embedded with new data analysis techniques that can spot hackers before they can break into health data stores.

CIOs and their security staffs have to consider a class of more sophisticated tools that can sense when a breach is being attempted or already underway. For example, advanced classes of firewalls are aware of the applications running behind them and can take into consideration what is and isn’t normal traffic trying to access those applications.

Many organizations are turning to these types of layered protection, healthcare security professionals say.

“You want to have advanced application-level firewalls at the edge,” says David Reis, vice president of IT governance and security at Lahey Health, Burlington, Mass. “You want to have intrusion detection and prevention at the network layer inside the firewall to catch those things that get through the firewall. And then for the Internet-facing systems that you’re really worried about, you can put host-based intrusion detection on those very specific servers.”

But layered approaches alone may be incomplete because of threats burrowing in from the Internet, says Mehring. “Before, we looked at it like this iterative approach. Somebody comes in from the Internet, they hit an external firewall--some type of defense system that keeps them out, at the outer shell. Then if they make it past there, there is some other control, then some other control, and some other control. It doesn’t quite work that way anymore, because of the way users interact with technology, the Internet.”

Network protections can be thwarted when an employee unwisely falls prey to a phishing gambit, by either clicking on a hacker’s URL link or attachment. “Professionally and personally, that’s my biggest worry,” says Reis. Phishing attacks “can be incredibly effective, especially in the healthcare market where we’re all trained to be patient-centric, trained to be helpful.”

HIPAA has prompted health systems to elevate their efforts, adding encryption of data at rest, media protections, and backup and security protocols, says Russell Branzell, president and CEO of the College of Healthcare Information Management Executives. “It was the nudge we needed to get started, and most organizations generally have those in place today,” he says. Now they have to weigh technology “that measures and reacts to human nature and behavior.”

Barrier technologies are programmed to look for unique signatures of a finite number of viruses and other malware. “You need so many hits of people, machines, users getting infected in order for a rule, a pattern, a signature to be generated,” says Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. In contrast to rules-based responses to attackers, the newer behavior-based methods look for departures from normal activity.

It’s all about trying to stay even with hackers who are continually changing their attack modes. “Prevention now is far more important than it’s ever been,” Reis asserts. “Detection is important, but we’re putting a lot more of our focus on preventive measures rather than detection measures, because things happen so much more quickly now than they did even five years ago. If you wait until you’ve detected, you’ve had a really big event. The key now is to make sure that event doesn’t happen.”

“Protection technologies have a purpose; the problem is there are really wonderful ways to evade these things. ”

Increasingly, security technology is performing analyses on data coming from breach prevention and detection systems, sifting for suspicious activity, says Darren Lacey, CISO and director of IT compliance at Johns Hopkins University and its medical school. “Detection controls, what they do is they say, ‘Well, this thing is happening, and it looks kind of funny--what do you want me to do about it?’ ”

Answering those questions are a set of investigative controls, sometimes automated in their responses, but usually operated by a staff pro responding to alerts, says Lacey, adding, “Detection controls are most beneficial when they’re integrated well with investigating.” Information aggregated from the various detection points--firewalls, host-based protection systems, audited activity logs and so on--aid in “creating new prevention signatures and new prevention rules.” And if a detection system sees something get through, “that will shape what prevention controls you run in the future.”
Prevention controls at the outer rim of the IT network include lists of IP addresses known to be both destinations for stolen data and sources of command-and-control centers for a network of malware called bots, guiding them through a breached system looking for lucre. “But sometimes these botnets change IP addresses, so your preventive rule sets don’t tell you a lot,” says Lacey.

A detection system might identify a new IP address to which several devices inside an IT network are communicating back and forth, for unknown reasons. Chances are that something suspicious is in play, Lacey explains, and an alert is triggered for investigation. The first response likely is to set up a new preventive control, adding the address to the block list. If it prevents a compromised computer from communicating back to an outlaw site, “that greatly reduces the amount of damage that bots can do.”

10 Top Health Data Hacks

The giant breach at health insurer Anthem (previously WellPoint) potentially affecting up to 80 million insured members and employees, reminds us that the hacking threat to protected health information is persistent and growing. The HHS Office for Civil Rights Web site of large breaches lists more than 90 major incidents of hacking, which have become much more prevalent during the past two years. Here are the 10 largest healthcare hacking incidents to date. Texas Health Resources takes the analytical route even further, devising risk profiles of users in its 25-hospital system based on their access to areas of the network, especially highly sensitive lodes of information, and how much of a target they would be for, say, phishing attempts, says Mehring. He calls it a zonal approach within the network as compared with a layered approach, intended to shut down breaches before they can spread.

“Quickness is key,” Mehring declares. “What we’ve found is that when that phishing email comes in, those first two hours that it’s in your environment are the most critical.” THR uses a cloud-based product that does a better job than in the past at detecting an attack and purging the invading agent, he says.

Vast improvements in the speed, computing ability and connectedness of healthcare information technology greatly complicate the business of keeping IT systems safe from intrusion. “Not only do hackers’ methods change, but the systems that we’re trying to protect evolve as well,” says Reis. “The systems get more complicated, and the hackers get more sophisticated, and to be effective we have to be able to keep up with both at the same rate.”

The fast movement of huge amounts of data make near-real-time intrusion detection critically important, says Kim of HIMSS, because attackers that get in can move quickly and access quantities of data in no time. A reactive strategy of spotting known malware in action will miss the mark, she emphasizes, because reaction hours or days later is often too late.

Information- Management: http://bit.ly/1ntZeMa

« Facebook’s Next New Data Center Is Coming To Ireland
90% of Data Breaches Are Avoidable »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

6cure

6cure

The 6cure Threat Protection solution eliminates malicious traffic to critical services in real time and protects against DDoS attacks.

Westminster eForum

Westminster eForum

Wesrtminster eForum runs a series of conferences on matters relating to the UKs Digital Strategy. Topics include Smart Cities and Cyber Security.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

ENEA Qosmos Division

ENEA Qosmos Division

Qosmos, a division of Enea, leads the market for IP traffic classification and network intelligence technology used in physical, SDN and NFV architectures.

CyRise

CyRise

CyRise is a venture accelerator focused squarely on early stage cyber security startups.

BooleBox

BooleBox

Boolebox is the innovative suite of enterprise data protection applications that preserve the integrity and confidentiality of data from any unauthorized access.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

Winbond Electronics

Winbond Electronics

Winbond is a Specialty memory IC company. Product lines include Code Storage Flash Memory, TrustME® Secure Flash, Specialty DRAM and Mobile DRAM.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Seigur

Seigur

Seigur is an IT consultancy business providing flexible legal and cyber security services for IT and data privacy programmes.

Identifid

Identifid

Identifid offers a suite of fraud prevention and identity authentication solutions to businesses and governments using the latest advances in AI, vision processing, and biometric recognition.