What Healthcare CISOs Should Know

It used to be that retail and financial services were the most popular targets for breaches and malicious attacks, but the healthcare industry is now right up there with them.

The reason for that change is simple: protected health information (PHI) is more lucrative on the dark web than other forms of personally identifiable information.

Also, healthcare organisations keep other useful data: access credentials, personally identifiable information, and financial records.

“The value of a single medical record on the web’s black market can be as high as $500,” Essaid points out.

Yet, most people are unaware of the fact that medical data theft can be far more damaging than credit card or social security number compromise.

For one thing, the stolen medical records can be used for a variety of criminal activities: more personal data theft, payment card fraud, healthcare insurance fraud, acquisition of controlled and prescription substances, and so on. Secondly, the victims will likely have problems because of it for the rest of their lives.

Still, we’re all forced to trust healthcare organisations to keep out medical data secure. Unfortunately, many of them are struggling to sufficiently secure their systems due to limited resources, budget and timelines.

Advice healthcare CISOs should heed

“The healthcare sector is under pressure to comply with a range of regulations such as US healthcare-specific HIPAA, more general data protection rules such as the looming GDPR (General Data Protection Regulation) in Europe and, for those that take online payments, the PCI-DSS (Payment Card Industry Data Security Standard),” says Essaid.

A CISO moving from another industry needs to understand this landscape. Also, he or she must recognise that integrating security into a healthcare organisation’s Software Development Life Cycle is a difficult thing to do well.

“The CISO should first review the HITRUST CSF (Common Security Framework),” he advises to healthcare CISOs.

“Secondly, many healthcare organisations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. The US Government uses this as the core of its security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.”

Start with the basics, and don’t forget the APIs

In general, though, healthcare institutions need to start with the basics:

•    Training, education and awareness for employees around social engineering and insider threats

•    Developing a better understanding of the motivations of cyber criminals and what key assets they are looking for, and then implementing protection controls accordingly.

Then comes the establishing of the necessary security audits, processes, procedures and compliance.

Essaid believes that adopting the Open Web Application Security Project (OWASP) secure development guidelines is a good idea, more so because seven of the twenty OWASP Automated Threats (OATs) are cited as primary threats to the healthcare industry.

Another important thing is not to overlook access control to website content and APIs, as many security practices that historically have been delivered in the user interface are now moving to API back-ends.

“In addition to the business benefits of faster delivery and ease of integrations aside, there are some security benefits of using APIs, too. Condensing the logic into the API helps address common UI related security issues,” he explains.

But cyber-criminals use bad bots (what OWASP calls Automated Threats) to attack login screens, steal patient records and perform account fraud. And aggregators and upstarts use web scraping bots to steal unique content or provide insurance policy quotes.

“Inaccurate pricing leads to customer frustration, and aggressive scraping can even cause slowdowns and downtime,” he points out. “But while APIs widen an organisation’s attack surface, but many of the same secure development best practices can also be implemented to protect them.”

HelpNetSecurity:

You Might Also Read:

Healthcare Starts Spending Big On Cybersecurity:

Increasing Healthcare Cybersecurity Risks:

Stolen Health Records Flooding Dark Web Markets:

 

 

« Three Cybersecurity Trends Business Should Address
What Happens If Criminals & Terrorists Get To Use AI »

Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

InfoSec People

InfoSec People

InfoSec People is a leading UK provider of specialist recruitment services for Information Security, Business Continuity and Risk Management.

CDW

CDW

CDW delivers a comprehensive range of IT Solutions and Managed IT services to its customers, allowing them to focus on running their organisation, not managing their IT.

Open Networking Foundation (ONF)

Open Networking Foundation (ONF)

The Open Networking Foundation (ONF) is a non-profit operator led consortium driving transformation of network infrastructure and carrier business models.

Leo Cyber Security

Leo Cyber Security

We creatively architect and execute customized cyber security programs to improve your security posture and protect your intellectual property and business.

Assystem

Assystem

Assystem delivers a comprehensive security approach for the industrial and service sectors that integrates physical security systems, industrial cyber-security, functional safety and dependability.

KeyXentic

KeyXentic

KeyXentic Inc. is a professional mobile and data security service provider. We are devoted to design convenient and strong security for user’s data protection and privacy without any compromise.

SECURITI.ai

SECURITI.ai

SECURITI.ai's PrivacyOps platform is a full-stack solution that operationalizes and simplifies privacy compliance using robotic automation and a natural language interface.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.