After the Anthem and Premera breaches, a lot of people asked me what healthcare companies need to do to make their organizations more secure. After the Excellus breach, the tone changed. Now people’s questions are full of exasperation and frustration. The following are a few questions I’ve been hearing more often about the recent surfeit of insurer breaches.
How do hacks go unnoticed for so long?
Part of an attacker's "job" is to be stealthy: staying under the radar for as long as possible is how he or she makes money. On the one hand, a breach slipping under the radar is understandable, as attackers are well funded and motivated. On the other hand, allowing megabreaches to continue for months or years is not particularly excusable as the data kept by healthcare organizations' is incredibly sensitive and needs to be protected. The damage done to people whose medical data is lost can be a lifelong and life-threatening battle.
In the wake of these three breaches – and others in the recent months – it’s clear that the risk of attacks to healthcare organizations is significant. Hopefully, this is motivating healthcare organizations of all sizes to start taking security much more seriously. But it's likely that even if they start to get their security in order, many of them will soon uncover attacks that are already in progress.
How much does it cost to do security well?
Healthcare has a lot of extra challenges when it comes to security. For instance, how do you secure information in a way that keeps it accessible quickly, in a literal life or death emergency? How do you deal with multimillion machines running outdated and unsupported operating systems?
Healthcare organizations need to be more deliberate about planning their defenses, and this means being diligent about performing risk assessments to make sure that money is well spent and that resources and assets are well covered. Ideally, risk assessments should be done on an ongoing basis, rather than just periodically. This helps ensure that new assets, strategies and both physical and digital defenses can be included in plans as quickly as possible.
There is a popular saying that you should plan your security as if you have already been breached. Given that several organizations have discovered high-profile breaches while implementing improvements to organizations' security, this advice is both apt and timely.
Do organizations still believe breaches won't happen to them?
I think some organization may still feel that they’re too small or too unimportant, but I think even more still consider their security to be a matter of “checkbox compliance”. Clearly, if they followed an arbitrary list of security protocols and procedures, they’d be okay right? No, not really.
If that security checklist did not come from a thorough and timely risk assessment, it could miss vital vulnerabilities. And if people are not following up on alerts and logs generated by internal and external monitoring, not keeping up to date with patching, and not adapting their practices as new threats and defenses appear, they’re missing ways for attackers to get in.
The truth is that every facility is a target, and being “compliant” doesn’t mean you’re secure. If you’re not keeping up with both your resources and your defenses, you could be leaving huge gaps for potential attackers to walk through.