In the first blog post of this three-blog series, we discussed the extraordinarily powerful “perfect storm” of cyber risk faced by healthcare organizations. The second blog post reviews how data security risks persist despite HIPAA compliance. In this third blog, we will discuss how to get started and best practices that healthcare organizations are using to employ a proactive, risk-based security framework that continuously detects and blocks ALL threats and prioritizes them for rapid remediation.
The three P’s
A common pitfall in healthcare cybersecurity is partial knowledge regarding the three P’s:
- Personal health info (PHI)
- Personal credit info (PCI)
- Personally identifiable information (PII)
Your mission: Know and manage EVERYONE accessing ALL this highly sensitive data.
Cyber and IT-security aims to protect PHI wherever it goes. To achieve this, you must know everywhere your sensitive data may go internally and externally including the cloud. Once that knowledge is established, you can deploy data protection policies involving who, what, where, and when. Without that combined knowledge baseline of access control, user behavior, and threat detection, anomalous behavior can go undetected. From a cybersecurity perspective, know what are active attack types such as ransomware and injection attacks to build proactive mechanisms to mitigate potential damage.
Sensitive data management is the bedrock
Having 100% knowledge of access across 100% of your sensitive data can serve as the bedrock of an effective sensitive data management strategy. This strategy comprises breach detection at the data repository (i.e. database, data store, file system)—versus perimeter—level. Without full knowledge, healthcare organizations are building data protection upon a foundation of sand, making data security an elusive goal.
The litmus test: Can you answer each of these questions?
The following questions help illuminate gaps in your data security knowledge:
- Where specifically, is your private data located?
- Who is accessing your data?
- How do they access your data?
- Should they have access to your data?
- Which users have access to your data, but do not use it?
- Who is responsible if data is lost? (data loss or exposure)
- Who is responsible for monitoring that data? (regulatory reporting)
The ability to answer all these questions is akin to a litmus test of your current data security status. You need thorough answers to these questions. For example, question number one does not ask only “where do you keep your sensitive data?” It asks to identify ALL of the locations where ALL of your private data could be located. Without this level of comprehensive knowledge and insight, risks and vulnerabilities will remain unchecked and increase over time.
Many healthcare organizations are in the midst of digital transformation that has accelerated patient and customer care via cloud-based and distributed services. As a result, DevOps has created the perfect storm of rapid infrastructure expansion and unwieldy data sprawl, as well as increased the number of entry points from which cyber attackers can pivot and access personal data.
At the center of all this, are Electronic Health Record (EHR) systems that are critical to running healthcare organizations. EHR systems are considered the most important IT system since these systems manage and store every aspect of patient and provider information, medical care, billing, and more, making security a top concern. As a result, stringent regulatory scrutiny ensures adequate security controls and practices are in place.
While remaining largely focused on the same business and customer models, hospitals and health systems are embracing new digital systems —from modernizing with cloud-based applications and services to accelerating the adoption of disruptive technologies such as artificial intelligence (AI).
As reported in the Verizon 2023 Data Breach Investigations Report Healthcare Snapshot, “74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, and use of stolen credentials or Social Engineering. 83% of breaches involved External actors, and the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches.”
Source: Verizon 2023 Data Breach Investigations Report Healthcare Snapshot
The goal of bad actors/attackers is to identify and exfiltrate patient data, health records, payment cards, or other PII from your data sources. Those assets have tangible value on the black market. Cyber security practitioners, need to gain visibility into 100% of your organization’s data estate and use reliable, automated security analytics tools to understand what is normal behavior, so you can quickly identify suspicious behavior and orchestrate actions to stop it.
Best practices: Four essential capabilities
1. Encryption
Encrypt data; particularly sensitive files before moving them, or use full disk encryption to protect entire storage media. Encrypting data at rest secures files and documents, ensuring that only those with the key can access them. The files are useless to anyone else. Use encryption to safeguard data that moves in and out of your organization. Encryption keys are highly sensitive, so it is a good idea to use cryptographic key management services to secure them.
2. Discovery and classification
Discover and then classify. All of the areas where data is located must be identified. This means everywhere, including file servers, in the cloud, on-premises, old systems, and new systems. Automated tools can help to find every instance of data. Once found, data must be classified: What kind of data is it (level of sensitivity)? Then that data can be tagged accordingly and prioritized in terms of sensitivity.
3. Visibility and Compliance (Audit)
Monitor ALL access to file servers -– on-premises, in the cloud; and ALL access to databases (relational, old mainframe, in the cloud, data warehouses, such as snowflake, and others). This is an ongoing, evergreen activity and reveals every single person, entity, and application that is accessing these resources, and who did what when. Audit trails tell you what sequence of actions occurred, if you need to confirm how and why the system or the data is in a certain state.
4. Threat detection
With the knowns obtained from the first two steps, you can now achieve regulatory compliance because you know:
- What people and applications are doing
- What people and applications are supposed to do
- What people and applications are NOT supposed to do
Bad behavior can now be identified and mitigated, where “bad” is based on insights from historical behavior using artificial intelligence/machine learning (AI/ML). For instance, anomalous behavior, such as a user connecting in with a different laptop or new IP address or accessing a file at a greater volume, is rapidly and automatically detected. Events such as these will generate an alert that risks may be increasing due to atypical behavior based on times, access points, files accessed, etc.
This is how early detection and remediation of potential threats become possible. Alerts create the immediate, near-real-time ability for personnel –- or in some pre-specified cases, an automated control — to revoke access, quarantine, or lock users out.
What can you do now?
A risk-based cybersecurity approach is a must-have for healthcare organizations around the world. It can improve patient care, and protect your healthcare organization before a breach occurs, and successful remediation can mitigate risk and cost.
Data proliferation has resulted in a staggering number of false positives and logs. This requires the use of artificial intelligence (AI) to respond to attacks in real time. With Imperva’s Data Security Fabric support for IRIS data platform, IT, security and system administrators have complete visibility into front-end application activity, including EPIC, as well as any administrative super user activity on the data store and its hypersensitive data.
A solution that enables visibility at the data layer gives you the capacity to proactively manage risks and detect constantly changing threats, and it provides the foundation for a comprehensive data protection and compliance strategy. Your team should be able to see all the data on a single, unified platform, and –- as new data sources are added -– your solution should be able to scale up to onboard them no matter where that data resides.
To learn more, visit Imperva data protection solutions for healthcare and view my recorded session: Safeguarding Patient Data: Assessing Healthcare Data Protection Measures.
Try Imperva for Free
Protect your business for 30 days on Imperva.