August 21, 2015|Categories: Cloud Services
It seems like you can’t open the newspaper (for those of you who still read newspapers) and see a story about another big company having its system compromised. And more and more often, health care is a target of these attacks. Witness the hack on UCLA Health System in July, which compromised data on 4.5 million patients.
This comes on the heels of the attack on Anthem earlier this year, among others. Health care data is increasingly valued by hackers for a variety of reasons, says Dave Damato, formerly the lead investigator on the Anthem attack at FireEye and now Chief Security Officer at Tanium, a security and systems management startup.
I recently spoke with Damato about the potential methods and motivations of hackers in the health care industry and how provider organizations, including smaller medical practices without huge IT budgets, can better protect themselves and their patients. – Michelle Mangino, Editorial Manager
Why do breaches of patient records continue to be a problem across the country?
Dave Damato: There are two different factors. First, this is asymmetric warfare. Large organizations have to do everything exactly right, while criminals need just one entry point. It’s very difficult to detect and monitor every attack when you have, in some cases, hundreds of thousands of devices.
The second challenge is that organizations rarely understand the state of their information systems. Without this intelligence, organizations are unable to proactively ensure basic security hygiene is implemented, let alone more advanced requirements of a mature security program. This requires proven technology, managed by smart people and effective processes – something that is not quickly achieved or easy to accomplish.
So what should health systems consider a realistic approach to security?
Damato: It’s realistic to assume an attacker will breach your network at some point. The key is to detect such events early and have adequate controls in place to ensure attackers can’t easily spread to other devices. This requires layers of controls, commonly referred to as defense in depth. Ideally, you’d want such controls to detect an attack within the first few hours – the more time that passes, the more damage an attacker can cause. Larger organizations with dedicated Security Operations Centers are definitely at an advantage here because they can respond 24/7, but smaller organizations can obtain some help by outsourcing after-hours alerts.
What type of attackers should smaller groups worry about?
Damato: There are really two types of attackers. Small organizations don’t have to worry as much about nation-states, like China. Nation states are interested in intelligence collection, so unless a small organization has very specific data, nation states are more likely to target larger networks with more data. Organized crime is much more likely to target health systems overall. These individuals are interested in making money, and healthcare records are worth a lot more money than credit card or other data. As retailers focus more on security – by implementing tokenization and other techniques that make it harder to steal Payment Card Industry (PCI) data – attackers will turn their attention to health care records, which contain Social Security numbers, family names and other information, in order to steal IDs or purchase drugs.
What steps can health systems take to strengthen the security of their sensitive records and databases?
Damato: A small team is both a curse and a blessing for smaller health systems. Small health systems typically have a few individuals that manage security as a part time job. This can result in poor security practices and increase the risk of a breach. However, smaller organizations are typically nimbler and their environments smaller and easier to secure effectively.
If I were a resource-strapped organization I would look at configuring custom alerts that monitor for anomalies. For example configure an email alert to notify administrators when privileged accounts are used. Smaller organizations with only a few staff will be more easily able to identify anomalous activity – something larger organizations can’t manage nearly as easily. In my previous example, where all administrators are notified of a privileged account logon, any malicious logon would immediately flag suspicion by the account owner.
Finally, focus on adopting applications that are cloud-based. The cloud is a huge help for organizations because it removes the burden of managing infrastructure and allows limited staff to focus on other tasks, like security. Big cloud-based vendors have very large and good security teams. They are very serious about security and understand the impact to their business should they experience a breach.
How should providers evaluate potential vendors with security in mind?
Damato: Select cloud organizations that are well established and have evidence of meeting a recognized security standard.
They should ask their vendors about how they manage the security of their products, through all phases of the development lifecycle. Ideally, vendors should be able to articulate how they develop code securely, regularly test their products, and what features are included to help facilitate logging and monitoring of user activity and other important security related information. Especially for cloud-based products, customers want to be sure they have access to the correct log information, in order to facilitate an incident response, should one occur.
Regardless, be sure to perform research on those companies you are working with, and stick with those larger players that put the necessary resources into securing their client’s data.
Are there additional tools provider organizations already leveraging cloud-based technologies can use to create that depth of defense you previously mentioned?
Damato: User access and authentication. People typically focus on encryption, which is great, but if a user can get on to the system they can bypass encryption or find a place where the data is decrypted. So, start with locking down access to databases and applications – be sure you know who has access and from where. Also utilize multi-factor authentication where possible, which will mitigate the risk an attacker could use stolen credentials.