Close Server: KOPWWW05 | Not logged in


Incident Response: Becoming Breach Prepared

There are several best practices to consider when responding to a breach of healthcare information.

Data breaches continue to shake the healthcare industry, exposing sensitive information for millions of patients annually.

Indeed, CompTIA's International Trends in Cybersecurity Report found that nearly three out of four organizations globally have been plagued by at least one security breach or incident in the past year, with about 60% of these breaches deemed serious.

Damage is compounded by the fact that many breaches are not discovered until weeks or months later, long after the data has been sold or used for nefarious purposes. So what can healthcare organizations do to better prepare themselves for increasingly advanced and damaging security threats?

Security isn't just an IT issue anymore -it's an organization-wide issue. As such, responsibilities for information security are increasingly distributed across an organization - from IT to human resources to compliance and even operations. This new reality can create dangerous policy and process silos that hinder efforts to elevate IT security.

To combat these challenges, we must first change the way we think of security. Breaches are inevitable, and this new thinking requires understanding that it's no longer just about adding defenses to prevent these inevitable attacks. Instead, it's important to focus on how we prepare and respond to an incident to better manage and mitigate the damage. To do this successfully, it's vital to look at the healthcare industry's threat landscape, as well as past vulnerabilities and weak spots within an organization.

Threat Landscape - Challenges & Vulnerabilities

Threats to the healthcare industry are only expected to escalate, as stolen healthcare records continue to bring hackers some of the biggest financial rewards - putting the focus on one of the industry's biggest vulnerabilities: end users. Verizon's recently released 2016 Data Breach Incident Report (DBIR) shows that healthcare is one of the top industries represented in many of the incident classification categories, including insider misuse, miscellaneous errors and physical theft/loss - most of which are tied to end users.

One way we are seeing hackers exploit end users to gain access to a health system's network is through a "watering hole attack," in which an attacker guesses or observes which websites the group often uses and infects one or more of them with malware or ransomware. Eventually, an end user makes a mistake and downloads the malware, infecting an entire organization. Ransomware incidents can literally shutdown an entire health system - something that the industry cannot afford when patient care and safety are at stake.

SEE ALSO: Big Data's Security Challenges

System vulnerabilities and user error are at the core of the vast majority of data breaches. System vulnerabilities can include weak and/or shared passwords and missing patches or misconfigurations. User error is more complex and is the weakness exploited in a growing number of attacks. A prime example is the phishing campaign, in which an attacker seeks to obtain critical information, such as login credentials or account information, by posing as a credible entity or person via email or other online communication channels.

In the HIMSS 2015 Cybersecurity Survey, 69% of healthcare providers surveyed listed phishing tactics as their biggest concern. Even though the industry recognizes that phishing is a growing risk, end users are still falling for these practices. Verizon's DBIR shows that the median time it takes for the first user targeted in a phishing campaign to open the malicious email is 1 minute, 40 seconds, and the median time before the first user clicks on the attachment is 3 minutes, 45 seconds.

As the stakes and risks continue to rise, healthcare organizations are focused on taking a deeper look at core vulnerabilities and security strategies to better protect their networks and ensure employees are equipped with the knowledge to recognize impending and evolving threats.

Putting Your Best Foot Forward: Strategic Application

The security industry, as a whole, has long focused on helping enterprises to build layered defenses to keep intruders out. No one, however, has a 100% success rate - especially when it comes to preventing instances that involve the loss of a device or user error. That doesn't mean the battle is lost, though. There is a significant difference between discovering a breach 365 days after it happens and the minute it happens.

Employee awareness, participation and investment are key factors to mitigating damage, as they can lead to faster identification of threats. Without the support of people and processes, the most intense security strategy in the world will not work. Human error, lost devices and misplaced information will continue to plague enterprises - there's no way around it. Organizations need to not only focus on technology, but also prepare for and minimize risk through education, training and security policies at all stages of the security lifecycle - before, during and after an incident.

From a strategic standpoint, there are several best practices to consider. End users are a critical vulnerability point when it comes to IT security. No employee is immune to a data breach, so a comprehensive security strategy must include all members of an organization, while also considering the processes and technology that affect employees each day.

Providing education on security and policies across all departments, while remaining committed to enforcing those policies, can help to ensure that all employees across an organization are working to meet the security requirements in place.

When departments or lines of business seek to implement new technologies, such as a cloud or mobility solutions, it's critical to engage the IT team proactively and involve them in every step of the process in order to meet both internal and HIPAA regulations. And while organizations need to ensure that their security strategies comply with HIPAA standards, as well as any internal organizational requirements, it's vital to find and revise overly and overtly restrictive policies, or employees will find ways around them - opening up new vulnerabilities for attacks.

For example, workstation authentication is an ongoing problem for providers - it's important to strike a balance between security and usability. If it's too painful and time-consuming for employees to login, they simply won't do it. Offer a flexible yet secure way for employees to do their jobs.

Another best practice is to start measuring time to detect and respond to a breach. This tactic will provide a metric for where an organization stands in its incident response plan - and sets the stage for improvement. Having a third party conduct a comprehensive, annual risk assessment test, complete with penetration testing, is essential to understanding vulnerabilities and how prepared an organization is to respond to them. Understanding how a serious adversary would approach the environment, as well as how they would act once they have achieved access and escalated to breach personal health information, is infinitely valuable.

To avoid policy and process silos that can get in the way of a truly comprehensive and collaborative security strategy, it is also important to focus on greater transparency, reaching across departmental barriers to foster greater collaboration, communication and training, and empower more effective security in healthcare. Clearly defined roles and responsibilities, as well as regular meetings among key stakeholders across departments, can go a long way toward better coordinating efforts and ensuring rapid and effective response to emerging and evolving threats.

Old vs. New Security Mindset

As the threat landscape continues to evolve, healthcare organizations must remain vigilant - regularly evaluating and modifying their strategies and tactics. Attackers will gain access to more sophisticated technology and methods, meaning organizations need the ability to assess their security situation at all points of the lifecycle - from identifying the problem to protecting and recovering - in order to successfully respond to threats and minimize impact. Effective security strategies also must consider all people, processes and technology involved to not only better prepare for an attack, but also to ensure an organization can respond to incidents more quickly and effectively, minimizing overall damage. 

Jeremy Weiss is lead security solution architect at CDW Healthcare.

You Might Also Like...

Protecting Patient Portal Information

Building best practices for securing electronic heath records accessed online by consumers.

Mitigating Mobile Patient Data Risks

Preventing data breaches is vital to maintaining patient confidentiality in an increasingly wireless world.

Advanced Persistent Threats

Steps to thwart cybercriminals, protect patients and secure critical data.

Health Information Professionals Workforce Report

Why these issues are important to recruitment efforts.

Articles Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company