In the world of health care security, there used to be two main things you would worry about: being audited or an accidental breach (perhaps taking the form of a misplaced folder or stolen laptop). Of course, both of these are still headaches.
Take the story of Concentra Health Services, for example. The Department of Health and Human Services Office for Civil Rights (OCR) began conducting new rounds of “desk” audits last year with the intent of measuring HIPAA compliance. Their investigation of Concentra uncovered a lack of encryption on laptops and insufficient security management processes in place to protect personal health information. In the end, Concentra was slapped with a $1.7 million fine.
The OCR's mission is to make sure your data is secure. But now there is a much larger group of people – hackers – who are looking to find that out as well, and they have an even greater incentive. Healthcare records contain a lot of sensitive data, and that data has a price tag. “Checking the box” when it comes to compliance is not enough to keep these attackers at bay.
Back in May, attackers gained access to a computer server tied to the Montana Department of Public Health and Human Services, stealing personal identifiable information (PII) including the Social Security numbers, bank account numbers and prescriptions details of patients, health agency employees and contractors.
Then in August, Community Health Systems, which operates 206 hospitals across the United States, revealed that hackers broke into its computers and stole data on 4.5 million patients. This includes names, Social Security numbers, physical addresses, birthdays and telephone numbers. Community Health will not only have to deal with the fines, but will also feel the impact of this breach in its patient numbers. Would you go back to a hospital that put you at risk for identify fraud?
What's a healthcare organization to do?
You know that old saying about gazelles and lions. You don't have to be the fastest gazelle; you just have to be faster than the slowest gazelle. Hackers are looking for easy targets. Don't be one. But being compliant is not enough to keep you out of the lion's reach – just because you have complied with regulations doesn't mean you are in compliance with security best practices. The key is to meet your compliance goals without losing sight of your big picture security risk.
Here's a place where many get stuck on the road to maturity:
Your organization has made substantial investments in security technology. In addition to network firewalls and endpoint protection products, you've likely deployed data encryption technology, intrusion detection and prevention systems, vulnerability scanners and log management software, to name a few solutions. You run periodic vulnerability scans and monitor security events, but you're left with a mountain of data. And thoroughly processing that data – turning it into actionable information – requires more time and resources than you could possible afford. You need a way to narrow your focus on the most vulnerable points of your network.
This is where you must take steps to mature your vulnerability management program with attack intelligence. Look at your organization through the eyes of an attacker. Understanding how someone trying to steal information will behave in your environment is critical to understanding which vulnerabilities pose the greatest threat to your organization, so you can plan your defense strategy accordingly.
If there's a vulnerability in your network that can only lead an attacker as far as last week's lunch menu, is it a priority? Of course not, especially if there is also a vulnerability that could lead an attacker all the way to the medical record application servers. That is an issue that must be addressed immediately and where you should be focusing your resources. Attack intelligence enables you to focus on what is important, and protect it.
Do you have tools and processes in place to predict where the hackers will strike and build your defenses accordingly? Can you find the major security gaps before the bad guys (or the good guys looking out for patients' right to privacy) beat you to it? This strategy will help your program meet crucial industry regulations, make your security team more efficient, and most importantly, protect patients.
So when it comes to healthcare security, if you think compliance is the only thing you need to worry about, think again. And think like an attacker.
Eric Cowperthwaite is the vice president of advanced security and strategy at Core Security, the leading provider of predictive security intelligence solutions for enterprises and government organizations. He has nearly 30 years experience as a security practitioner and leader in both civilian and military settings.