Your personal information is significantly more valuable on the black market than your credit card information, when that data is related to healthcare.
In the cyber security world your personal information—name, address, social security number, user names and passwords, social media accounts etc.—is known as Personally identifiable information, or PII. When you add medical information to the mix, your PII takes on additional value that makes it very attractive to criminal hackers who can sell it, use it to steal your identity on the most intimate level, or hold an entire hospital to ransom in what we have come to know as a “ransomware attack”.
What this means is that it’s critical for healthcare organizations to protect all the information in their systems by storing it at a maximum cyber-security level, and allowing access only to those who really need it to carry out their jobs. And it’s not just patient information that needs to be under cyber lock and key. Every healthcare organization must also protect the PII of its employees, contractors, and anyone else who may have provided personal information.
The healthcare industry knows it needs to protect PII. It’s simply bad for business for PII to be exposed to the world. It hurts customer and business relationships and it carries heavy fines related to HIPAA compliance violations. Yet in 2017 over 27% of data breaches were medical or healthcare related, according to the Experian Identity Theft Resource Center.
So how is healthcare-related personally identifiable information being exposed? What are the key points of risk for a breach?
There are three primary ways PII is exposed, and they are all equally important to consider when ensuring that your healthcare organization has a strong data protection strategy.
1.) A cyber-attack
A serious cyber security issue for any healthcare organization, attacks can come in many forms, and the attacker need only be successful once, but your organization must be successful at blocking the attacks 100% of the time.
Unfair? Probably, but still true. Cyber-perimeter defense systems are important to protect against cyber-attacks, as are network logging tools to detect anomalies. And if just one criminal hacker is successful, it’s important to make sure they cannot get past your threshold, so to speak. Healthcare organizations must deploy the appropriate software that ensures the attacker, once in the system, cannot elevate their network privileges or move laterally within your organization’s network.
2.) An insider threat
There are many reasons an insider may risk to your organization’s security deliberately. Sometimes, an employee may become upset with your organization and retaliate by exposing some of your sensitive information, or leaving the company and taking confidential passwords with them. No one wants this to happen, but it can. Or, because healthcare data is so valuable, some employees look to PII as a way to make money when they cannot think of another way to turn. There are actions you can take to limit this risk, like ensuring employees and contractors only have access to the level of information they truly need, and being able to immediately terminate access and change passwords when an employee leaves.
3.) A careless insider
Perhaps they didn’t mean it. Maybe they left their company-issued phone or laptop in a taxi, or someone stole a device from them. Maybe they innocently clicked on a link is a phishing email and exposed a password or other information.
Either way, when it comes to healthcare data, doctors and other staff have a significant amount of remote access to PII and this poses a huge risk for fines—a lesson we have learned from past experiences where patient records have been leaked, sometime in their millions. Lost or stolen devices are, in fact, one of the leading causes of an unintentional breach. Employees must be forced to use strong passwords on all their devices and should never text or e-mail sensitive information on unprotected devices.
How do healthcare organizations protect the PII of patients, contractors and employees?
No healthcare organization, large or small, should be without an enterprise-level password management system and privileged access management software (also called PAM software). A PAM system that is both comprehensive and simple to use will be well adopted and provide the maximum cyber security available for your healthcare organization’s network.
This article was provided by the cyber security team at Thycotic.