Healthcare Data in the Crosshairs
Predictions that 2015 would be a year of ‘healthcare breaches’ are proving prescient, as another massive security incident comes to light.
Predictions about what security trends will dominate the news are about as reliable as any other kind of prediction – which is not very. But those experts who predicted that 2015 would be the year of the healthcare data breach are looking pretty good now. In just the first three months of the year, we’ve seen two large data breaches at healthcare organizations. The latest breach occured at health insurer Premera Blue Cross, the company disclosed on Tuesday.
According to a report by Reuters, Premera was the victim of a cyber attack that may have exposed medical data and financial information of 11 million customers. Attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014. The incident was discovered in January, 2015 – suggesting that attackers had sustained access to the Premera network prior to being discovered.
Little is known about the circumstances that led to the compromise at Premera – though more details will almost certainly become public in the days and weeks ahead.
What’s clear is that the market for stolen personal information is hotter than ever. Cyber criminal and so-called “APT” or advanced persistent threat groups have discovered that healthcare organizations are easy targets rich in the kind of personally identifiable information that can be sold and used for identity theft, or leveraged in targeted attacks against other organizations. Reuters notes that more than half of the individuals affected by the breach at Premera – around six million – are from Washington State, home to leading technology firms like Microsoft and Amazon, and a major base for Boeing Corp.
What do healthcare companies need to do to secure their networks against attack? Many of the same things as firms in other verticals: endpoint protection, network monitoring and patch management go a long way. Monitoring for malicious activity on their network and, also, threat intelligence services to keep apprised of suspicious or malicious activity in the cyber underground that might affect their industry or their company in particular.
It goes without saying that strong and reliable user authentication is also a must. Account takeovers via phishing- and watering hole attacks, malware infections or other network compromises are a hallmark of advanced, targeted attacks. At the same time, hospitals, doctors’ offices and healthcare networks are being pressed to adopt productivity enhancing technologies, from electronic health record systems to e-prescription technologies. Those tools promise better care and massive savings within the healthcare sector. However, improperly implemented, they can also leave healthcare organizations and patient data vulnerable in new and unexpected ways.
Duo has put together a guide that discusses some of the ways that patient data becomes vulnerable and how to protect it - for more about patient data security, download Duo Security's Guide to Securing Patient Data: Breach Prevention Doesn’t Have to Be Brain Surgery.
To help you navigate patient data security, our guide will:
- Summarize relevant health IT security legislation, including federal and state
- Provide information security guidelines on remote access risks and solutions
- Provide extensive security resources and a real hospital case study
- Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the healthcare industry.