To optimize their nefarious efforts, hackers often employ the admittedly logical strategy of targeting only the most lucrative sources of personal information. With this in mind, medical records bring a particularly greedy gleam to their eyes. The value of a stolen healthcare file is quite literally ten times that of standard identity theft, with hackers able to squeeze about $2,000 out of a hijacked identity, on average, while the amount and type of information contained in one’s medical records often mean profits of up to $20,000. For hackers, Personal Health Information (PHI) is a veritable treasure trove of rubies, sapphires, and other precious gems in the form of birthdates, family names (useful for cracking passwords), social security and tax identification numbers, and other data tied to receiving medical care. The value of this information is hard to overstate, but multiple other factors have compounded to make PHI more vulnerable than it should be. Healthcare providers struggling with the security of their patients’ data are now beginning to realize the solution is right in front of them: don’t trust a soul.
A volatile mixture of factors has created the biggest ever hoard of hackable personal data – and it’s in the hands of the industry least prepared to cope. Complete medical files contain identifying data that is nearly impossible to change on the fly, such as one’s SIN. Once this information is exposed, the lengthy time to a resolution offers hackers days or weeks to defraud patients before the tap runs dry. Moreover, the haphazard implementation of IoT devices and other machines used in patient care give hackers a way to affect patients’ health, and not only their wallets.
Image from Comparitech, 2020
In attending to those under their care, hospital staff are overworked and simply don’t have time to consider the implications of their substandard security hygiene. Their priority is to utilize the complex and precariously stacked array of applications, network resources, and internet-connected devices that help them do their jobs. Any downtime is a health risk, and so resistance to multi-factor authentication and other best practices is the norm. In networks with multiple attack vectors, highly valuable data, and negligent (if well-meaning) workers, it’s clear a low-touch security strategy is necessary to raise the lowest-hanging fruit out of hackers’ reach.
One of the most glaring trends to illustrate this idea is that it took until 2017 for the majority of breaches to originate from hackers, rather than by individual security mistakes within healthcare organizations. Though healthcare had been a ripe target for hackers long before then, that sheer insider negligence outpaced intentional breaches for so long is a scary thought – especially for providers who put a premium on HIPAA compliance. In one particularly cringe-worthy example, it took a whopping 14 years before a PHI breach was discovered and closed. Providers in the healthcare industry are now forced to confront the fact that their highly-educated workforce simply doesn’t have the security education to be trusted. Many are therefore adopting Zero Trust as a network access model, which takes a different approach to security. In traditional network security solutions, once a doctor had the authorization to enter the network, he or she was trusted within every corner of it, full stop. Accordingly, at a time when one in five healthcare workers is willing to sell PHI for as little as $500, Zero Trust is key.
Zero Trust is aptly named because it enables IT managers to implement a security model where absolutely no one is trusted, and all who enter the network are monitored at all times and granted access only to specific places on the network required for their jobs. If you don’t need to see certain parts of the network, you can’t, nor can you do anything compromising inside it without alerting IT. For regulatory compliance such as HIPAA, this level of vigilance isn’t frivolous, it’s necessary.
In hybrid-cloud environments like the ones commonly implemented by healthcare providers, Zero Trust is much safer than perimeter-centric security models simply because the perimeter is no longer there. It’s constantly moving, and constantly being accessed by a range of devices and people with varying degrees of protection. As a Zero Trust architecture segments users into the areas they absolutely need to access, the number of accidental insider breaches and those coming from the outside are decimated.
The idea behind Zero Trust is one thing, but arriving there is another. Healthcare providers should look to network security solutions that implement a Software-Defined Perimeter (SDP) as their foundational step towards winning the ongoing cyberwar. Supplementing this SDP solution with security awareness education is also important.
Healthcare workers need to recognize that they face daily threats regarding data security, and to learn what their role is in securing the network. This dual-edged strategy is robust, but it will never stave off hackers entirely; PHI is just too lucrative. What it will do, however, is make hacks expensive and difficult enough to dissuade bad actors, shooing them away to the next most vulnerable industry. Better there than here.