Health care organizations are a popular target for cyber attacks. According to a KPMG survey published last month, 81 percent of health care executives said their organizations had been hit by malware, botnets or cyber attacks at least once in the past two years.
Similarly, recent Raytheon/Websense research found that the health care industry experiences 340 percent more security incidents and attacks than most other industries.
Hackers are interested in health care data because of its high value, said Carl Leonard, principal security analyst for Raytheon/Websense. "Health care providers have very complete data sets. Your doctor knows pretty much everything there is to know about you," he said, adding that the data often even includes links to insurance and other sensitive financial information.
With widespread adoption of electronic health care record systems just a few years old, health care organizations are behind the curve when it comes to data protection best practices. "They are still learning how to expose data to authorized individuals," Leonard said.
Contrast that with the financial services industry, for example, where the use of two-factor authentication for online banking systems is common.
Electronic health care records are presenting a challenge for health care providers who must "balance technology with business risk," Leonard said. "Providers have to tread the line between making data readily available and making sure it is secure. Data must be encrypted, both at rest and while moving through the network."
Advanced Malware and Ransomware
In the first half of this year, the health care industry accounted for nearly 84 percent of Dropper File incidents, including a spike in March that comprised more than 90 percent of all Dropper incidents, in all industries. Cryptowall and the Dyre trojan also were frequently deployed. In fact, one in every 600 attacks against the health care sector involved advanced malware, the research found.
Ransomware is an especially popular attack, Leonard said, noting that health care organizations are four-and-a-half times more likely to be impacted by ransomware than organizations in other industries. This is not surprising, given the critical importance of health care data. "The value of data to a health care organization is really immense. If that data is taken away, it can be a critical situation."
Yet health care organizations that pay ransoms risk "finding themselves caught in a vicious circle," he said. While backing up data is a recommended best practice, "the danger is that you end up backing up data that has been encrypted by ransomware."
It is better, he said, to employ early threat detection mechanisms "so you never get to the point where you have to figure out how to decrypt the data." Early threat detection is part of a comprehensive strategy that also includes creating controls around understanding when data is about to leave an organization and how to prevent it from leaving.
As with any comprehensive security strategy, user education is also important, Leonard said. "That can help because you've extended your monitoring capabilities by having your employees alert you when they notice something out of the ordinary, from an actual ransomware pop-up to a phishing email."
Other best practices include preparing a breach response plan "so you are ready for the inevitable," he said
The good news, Leonard said, is that media coverage of high-profile incidents like the Anthem data breach is "driving discussions of enterprise security at the board level."
Such breaches have been a "wake-up call" for the industry, he added. "After seeing their peers and competitors breached, health care organizations understand that now is the time to take steps to defend their organizations from top to bottom."