New Attacks, Regulations, and Stakes Call for New Security Strategies

New Attacks, Regulations, and Stakes Call for New Security Strategies
 Tim Callan, Senior Fellow, Sectigo

The amount of data generated by the healthcare industry is staggering—and constantly increasing.  Healthcare data encompasses the personal information of patients, doctors, nurses, and administrators. It includes diagnostic information, test results, ultrasound images, x-ray images, and of course insurance and financial information. With so much sensitive patient information there for the taking, it comes as little surprise that the healthcare industry—perhaps more than any other sector—has become a primary target for cyberattacks. Now, more than ever, it is critical that healthcare organizations take decisive action to protect their data. 

There has been no shortage of major (and notably costly) data breaches in recent years. The Equifax breach, for example, affected nearly half of all Americans. Last year’s Facebook breach was also headline news, thanks in large part to the number of users affected. Then there was a lesser-known yet costly LifeLabs breach—the largest in Canadian history—affecting more than 15 million people and prompting a lawsuit seeking north of $1 billion in damages for failure to adequately protect data. 

Healthcare data heists yield a premium, making them particularly attractive to hackers. The Center for Internet Security (CIS) notes that the “average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158,” compared with $355 for healthcare records.

Though large, the LifeLabs incident isn’t even close to the largest healthcare data breach in history. That dubious honor goes to Anthem, which suffered a breach in 2015 that resulted in nearly 80 million compromised records. Although Anthem was able to reach a settlement with the victims for the relatively paltry sum of $115 million, both the standards for data protection and the expected remediation for failure have changed considerably in the five years since the attack. 

Regulations Raise the Stakes for Security

As the regulatory environment surrounding data breaches of all types grows more strict, hospitals and insurers have found themselves in the crosshairs of an increasingly brazen and sophisticated set of attackers. Part of the reason for this targeting stems from the relative value of healthcare records. There is a reason why “HIPAA” is an acronym known to most Americans, while other data protection laws are not.

Personal Health Information (PHI) tends to be more valuable than standard Personally Identifiable Information (PII) in large part due to its static nature. Patients can change a compromised credit card number or social security number, but not their medical history—and scammers prepared to exploit that history may render victims more vulnerable to certain types of fraud. 

New regulations are further raising the stakes for compliance. Although the California Consumer Privacy Act (CCPA) is not specifically targeted at healthcare organizations, the sector represents potentially one of the most vulnerable industries under the new law. If an organization is found to be in violation of CCPA, they have 30 days to rectify the situation or be subject to a fine of up to $7,500 per record exposed.

To put this in context: if CCPA were adopted nationwide, the LifeLabs breach that affected 15 million individuals would potentially be subject to a fine of $112.5 billion. That $1 billion lawsuits that LifeLabs is facing might sound like a lot, but under CCPA, it might mean getting off easy. This should underscore the necessity of protecting data of any kind today—let alone healthcare records. 

Ecosystems Span Email to Equipment

With the healthcare industry becoming an increasingly popular target and the penalties for breaches growing steeper, it’s important to consider that every endpoint, from desktops to devices, present attack paths for hackers. Measures as simple as stronger email security can make a big difference: in 2018 alone, Business Email Compromise (BEC) attacks resulted in more than $1.2 billion in victim losses. Spear phishing attacks, which are carried out using social engineering techniques to convince the target to relay confidential personal or financial information to what they believe is a legitimate recipient, represent an increasingly common method for attackers to gain access to user credentials or even directly obtain PII or PHI. Securing email with S/MIME (Secure/Multipurpose Internet Mail Extensions), which authenticates the sender of an email, enables employees not only to digitally sign and encrypt email communications but also to detect whether an email received has been authenticated or should not be trusted or opened.

Digital certificates are an essential part of protecting medical devices. Because they can be incorporated during the manufacturing process, these certificates allow device identity and integrity to be established from the moment they are first powered on. They also eliminate the potential for device spoofing, which protects against the possibility of counterfeit devices connecting to the network. These certificates serve as an effective proof point for savvy healthcare organizations. When vetting device suppliers and manufacturers, asking about their approach to device identity is essential. By learning to trust only manufacturers with a responsible approach to authentication, healthcare organizations can help protect one of the areas most susceptible to costly breaches. 

Medical equipment itself has also become more vulnerable. Today’s diagnostic devices are rarely standalone—most are connected to the internet, and anything connected to the internet can potentially be compromised. In fact, this compromise could occur before devices even leave the factory, potentially undermining even the most secure networks and leading medical device manufacturers to consider security starting at the assembly line; the point where device identity measures and digital certificate authentication become critical. Technologies such as secure boot can protect the integrity of a device or piece of software from the first time it is powered on. Similarly, embedded firewall and secure remote update technologies help ensure that software updates are authenticated before installation and that any communication with unauthorized devices stops before harm can be done. 

A kitchen with a sink and a window

Description automatically generated

Moving Forward with New Security Strategies

Today, health insurers, hospitals, and other patient care organizations must manage a truly massive amount of data. It is simply a fact of life. That data comes in many forms, and it can be valuable to cyber attackers for a multitude of reasons. At its core, this data is the healthcare industry’s most valuable asset—one that it must protect at all costs. 

Vulnerabilities can take many forms, from a human error to compromised devices. And while no solution can shield every possible form of attack, data and IT security administrators (and even OEMs) can take concrete steps to protect their organizations, patients, or chipsets against common attack vectors and better comply with today’s strict data protection regulations. Yes, the cloud has introduced new vulnerabilities, but it also has helped enable new security strategies and solutions that ensure every application, cell phone, server, or other connected “thing” has an authenticated digital identity.  The stakes are simply too high, and hackers have become too savvy, to rely on yesterday’s security status quo.

About Tim Callan, Senior Fellow at Sectigo

Senior Fellow Tim Callan contributes to the company’s standards and practices effort, industry relations, product roadmap, and go-to-market strategy. Tim has more than twenty years’ experience as a strategic marketing and product leader for successful B2B software and SaaS companies, with fifteen years’ experience in the SSL and PKI technology spaces.