Author: Christian Aboujaoude, Senior Director Enterprise Architecture, Scripps Health
In recent months, the healthcare industry has been the number one target of cyberattacks, exposing tens of millions of customers’ identities around the world, costing more than $1 billion USD in losses.
Executives from the National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient, and yet, only 33 percent of the industry has taken the preventative measure of protecting themselves properly. With billions of people across the world entrusting healthcare organizations to protect their identities, and these same organizations relying on their critical infrastructure to secure it all, it becomes crucial to not just have the right cybersecurity solution in place to stop an attack before it has a catastrophic impact, but to ensure they are able to prevent future ones from ever happening.
My provider organization— the San Diego-based Scripps Health—takes cybersecurity seriously, and has for many years. In 2013, we determined to take an identity-first approach to protect both internal and external data, and engaged with firms such as SecureAuth to pioneer an identity solution that would protect both internal and external data according to our unique needs. Today, we continue to evolve our solution to keep up emerging threats, and to stay ahead of threat trends and attackers.
Below are some of the biggest cybersecurity threat trends facing the healthcare industry for 2019, and some recommendations to combat them.
The growing trend of blurring lines between personal and business activities online
We are starting to see a kind of “blurring-of-the-lines” between personal activity on the Internet, and the activities that are done from a business perspective. For example, people often use their work email address for personal things, and/or they don’t know how to disable certain device tracking settings, such as cookies, that track their every move. Unfortunately, they don’t believe that it’s actually a problem, when indeed, it is. It’s like leaving the door open for people with malintent to send phishing emails so targeted that it’s often hard to decipher what’s real.
Even more sophisticated, very targeted phishing attacks
According to one 2018 study, mobile device phishing attacks are up 85 percent, year-over-year, since 2011, and the reason has to do with the increasing amount of data collected by every site and app visited on your mobile device.
The easiest thing to do is go on your phone, do a search on the Internet, and within a couple of hours, you go onto Facebook or Instagram, for example, and you’ll notice that all of a sudden, you have targeted marketing in your feed based on your previous search. That data from your search is also sent to other organizations, which means many things people do online is no longer private, leaving you open for a very targeted phishing attack.
To try to prevent these emails from getting through, we’re constantly improving the environment by adding triggers that identify whether our users should trust or not.
The continual rapid rise of identity theft
2017 saw an unprecedented amount of identities stolen, to the tune of 158 million social security numbers and 16.5 million credit card numbers—and 27 percent of those thefts belonged to the healthcare industry, according to Experian’s latest identity theft statistics. It’s the continual rise of these thefts that has prompted us to think outside of the box, and into the future, on how to protect patients and employees.
We need to create an external identity and an internal identity, and what I mean by that is, we need the external world to see us one way (our presence on the Internet), and then the internal systems need to have a mask of sorts, like a VPN, to prevent attackers from being able to monitor activity. From a cloud perspective, it’s imperative to use a service proxy from an identity provider to authenticate back and forth.
We use biometrics to ensure that the right user is supposed to be taking the action they are trying to take. We also lock down access to certain websites to be from an internal IP range, versus having the open Internet all the time. Taking these measures reduces the amount of exposure that attackers have from an outside perspective.
What’s more, here are some things that are easily implemented that can help keep data secure:
At Scripps Health, we implemented a mandatory, continuous education program for employees that helps them to understand how their personal actions on business devices, emails, and so forth, can have a detrimental effect on the organization.
It all starts with humans, and whether intentional or unintentional, we all make mistakes. Thus, we are working to reduce these behaviors while avoiding the creation of a negative and overly complex experience for our employees. From a user perspective, security is attached to everything we do. We aren’t always aware of that, and we need to be. From an IT perspective, it’s around understanding business process in order to build the right cybersecurity framework.
While education is a significant preventative measure, the evolution of the environment to account for future new kinds of attacks is even greater.
Most people have not spent a lot of time thinking about how they change their environment, how they change their actions, and leverage a Security Operations Center (SOC), and in my opinion, that needs to change significantly. I really like to implement processes that we can leverage and expand on. It’s vital to the health of our infrastructure.
Having the right tools in place
To continue to protect the environment, we have made a significant investment in the tools we use to keep our infrastructure safe.
We believe that having the right tools in place reduces negativity and complexity in our environment. In fact, I don’t subscribe to the opinion of needing to have complexity to have security. The more complex your infrastructure is, the more exposed you are.
This article originally appeared on Healthcare Informatics on December, 3rd 2018