What Healthcare CISOs Should Know

Uploaded on 2017-05-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare

It used to be that retail and financial services were the most popular targets for breaches and malicious attacks, but the healthcare industry is now right up there with them.

The reason for that change is simple: protected health information (PHI) is more lucrative on the dark web than other forms of personally identifiable information.

Also, healthcare organisations keep other useful data: access credentials, personally identifiable information, and financial records.

“The value of a single medical record on the web’s black market can be as high as $500,” Essaid points out.

Yet, most people are unaware of the fact that medical data theft can be far more damaging than credit card or social security number compromise.

For one thing, the stolen medical records can be used for a variety of criminal activities: more personal data theft, payment card fraud, healthcare insurance fraud, acquisition of controlled and prescription substances, and so on. Secondly, the victims will likely have problems because of it for the rest of their lives.

Still, we’re all forced to trust healthcare organisations to keep out medical data secure. Unfortunately, many of them are struggling to sufficiently secure their systems due to limited resources, budget and timelines.

Advice healthcare CISOs should heed

“The healthcare sector is under pressure to comply with a range of regulations such as US healthcare-specific HIPAA, more general data protection rules such as the looming GDPR (General Data Protection Regulation) in Europe and, for those that take online payments, the PCI-DSS (Payment Card Industry Data Security Standard),” says Essaid.

A CISO moving from another industry needs to understand this landscape. Also, he or she must recognise that integrating security into a healthcare organisation’s Software Development Life Cycle is a difficult thing to do well.

“The CISO should first review the HITRUST CSF (Common Security Framework),” he advises to healthcare CISOs.

“Secondly, many healthcare organisations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. The US Government uses this as the core of its security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.”

Start with the basics, and don’t forget the APIs

In general, though, healthcare institutions need to start with the basics:

•    Training, education and awareness for employees around social engineering and insider threats

•    Developing a better understanding of the motivations of cyber criminals and what key assets they are looking for, and then implementing protection controls accordingly.

Then comes the establishing of the necessary security audits, processes, procedures and compliance.

Essaid believes that adopting the Open Web Application Security Project (OWASP) secure development guidelines is a good idea, more so because seven of the twenty OWASP Automated Threats (OATs) are cited as primary threats to the healthcare industry.

Another important thing is not to overlook access control to website content and APIs, as many security practices that historically have been delivered in the user interface are now moving to API back-ends.

“In addition to the business benefits of faster delivery and ease of integrations aside, there are some security benefits of using APIs, too. Condensing the logic into the API helps address common UI related security issues,” he explains.

But cyber-criminals use bad bots (what OWASP calls Automated Threats) to attack login screens, steal patient records and perform account fraud. And aggregators and upstarts use web scraping bots to steal unique content or provide insurance policy quotes.

“Inaccurate pricing leads to customer frustration, and aggressive scraping can even cause slowdowns and downtime,” he points out. “But while APIs widen an organisation’s attack surface, but many of the same secure development best practices can also be implemented to protect them.”

HelpNetSecurity:

You Might Also Read:

Healthcare Starts Spending Big On Cybersecurity:

Increasing Healthcare Cybersecurity Risks:

Stolen Health Records Flooding Dark Web Markets:

 

 

« Three Cybersecurity Trends Business Should Address
What Happens If Criminals & Terrorists Get To Use AI »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

Security Audit Systems

Security Audit Systems

Security Audit Systems is a website security specialist providing website security audits and managed web security services.

Sysmosoft

Sysmosoft

Sysmosoft specializes in providing highly secured telecommunication solutions for mobile devices for companies requiring protected access to sensitive data remotely.

AdaptiveMobile Security

AdaptiveMobile Security

AdaptiveMobile Security, a world leader in mobile network security, protecting more than 2.2 billion subscribers worldwide.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

CyberSaint Security

CyberSaint Security

CyberSaint’s CyberStrong Platform empowers organizations to implement automated, intelligent cybersecurity compliance and risk management.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP provides solutions and services around Core Infrastructure, Cloud, Cyber Security, Enterprise Applications, Intelligent Automation and Data, Smart Buildings, and Managed Services.

Electrosoft Services

Electrosoft Services

Electrosoft provide mature, innovative technology-based services and solutions to power critical IT programs and keep our nation safe from cybersecurity attacks.

Adversa AI

Adversa AI

Adversa's mission is to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents.

Vultara

Vultara

Vultara provides web-based product security risk management tools for electronics manufacturers.