Mediaplanet: How is cyber security adapting for the health care industry?

Ginny Carpenter: The health care industry has become an increasingly attractive target for cyber criminals. The richness of the data, combined with the increasing interconnectedness of health care technologies, makes the industry ripe for cyberattacks. Data assets, including electronic protected health information (ePHI), are a sought-after commodity.

The number and volume of data breaches have increased. By federal law, the U.S. Department of Health and Human Services tracks breaches of unsecured PHI affecting 500 or more individuals. The number of reported breaches increased from 197 incidents in 2010 to 278 incidents in 2014.

The costs of cyberattacks are manifold. Data breaches negatively impact an organization’s reputation, brand and the trust of its patients. Quantifiable costs include notifying affected individuals, follow-up credit monitoring, federal and state penalties and fees, the costs of repairing and mitigating IT infrastructure damage caused by the attacks and the potential for class action lawsuits.

MP: Could you explain why health care organizations are so at risk?

GC: Part of the reason for this has to do with the value of the data: Health care records have been estimated to be worth between $50 and $500 per record on the black market, depending on who's selling it and how the data will be used. That's much higher than simple stolen credit card data, which caused such a stir a few years ago with notable hacks into Target's and Home Depot's credit card data.

"Health care organizations have to look at a wide scope of issues relating to network and data security, but there's one area where they may not be focusing as much as they should: Web security."

But the other big reason for the huge volume of breaches has to do with how relatively unprepared the health care industry has been to protect its own data. Before the current emphasis on data accessibility and exchange, electronic health care information was often contained in an on-premise data center, tucked safely behind an appliance-based firewall. However, the new connected nature of the health care industry has weakened the effectiveness of traditional defense measures.

Federal incentives accelerated the adoption of digitized health records and the electronic exchange of information between health care providers and related entities. At the same time, technological innovations in providing patient care and collecting patient data have resulted in a proliferation of devices and applications that use the web to deliver communications and data between patients and providers.

MP: What steps can be taken by health care organizations to protect against these data breaches?

GC: Health care organizations can take some proactive steps to address web security risks:

  • Apply security patches, ASAP. If they are aware of a critical vulnerability, you can be sure that hackers are one step ahead of them, ready to exploit that vulnerability until they get it addressed.

  • Continuously monitor the network. Intermittent risk assessments are no longer adequate. Organizations need to be equipped to detect and respond to anomalies in network traffic in real time.

  • Scale their solutions based upon the size of their applications and their risk potential—not the size of their budget. Otherwise, they risk sacrificing performance for security, or, worst case, a security failure when their solution is unable to scale.

Health care organizations have to look at a wide scope of issues relating to network and data security, but there's one area where they may not be focusing as much as they should: Web security.

First, they need to be thinking about their web application security. Many hospitals have installed on-premise Web Application Firewalls (WAFs), which are the traditional line of defense against web application attacks, such as cross-site scripting (XSS) and SQL injection.

However, those on-premise WAFs may not be providing the full amount of protection that hospitals are expecting. WAFs require significant management overhead in order to maximize the amount of protection they can provide. They are very complex, and a lot of hospitals tend to underestimate the time, resources and expertise required to maintain them. Often a hospital will install an on-premise WAF, configure it once and then ignore it. There's a lot of reasons why that won't work, not the least of which that there is no accommodation for changes in attack vectors, which we are learning are changing constantly and becoming more and more sophisticated.

"Health care organizations need to be realistic about their vulnerability to a cyber security attack that has been traditionally associated with the gaming and retail industries." 

Supplementing an on-premise WAF with a cloud WAF may be the best solution to this problem. Cloud WAFs filter the bad actors at the edge, meaning they never reach and overburden the hospital's data center. Also, cloud WAFs are operated by companies who are in the business of understanding the latest cyber security threats as they develop, allowing them to keep the cloud WAF rules updated to protect against all the latest attack vectors.

Health care organizations should also be thinking about their vulnerability to Distributed Denial of Service (DDoS) attacks. In early 2014, the FBI sent out a private industry notification (PIN) to health care providers alerting organizations to increases in cyber intrusions and attacks. According to media reports, less than three weeks later, a large hospital became the target of repeated DDoS attacks that threatened to shut down the hospital network.

Sometimes, DDoS attacks are carried out in tandem with web application attacks. A DDoS attack can be deployed as a diversion to distract an organization from a simultaneous web application attack designed to exfiltrate protected data. In other cases, web application attacks occur independently of DDoS attacks. In either scenario, health care organizations need to be realistic about their vulnerability to a cyber security attack that has been traditionally associated with the gaming and retail industries. The health care industry is just as vulnerable and should develop a web security program that takes that reality into account.

Mediaplanet: What’s in store for web security in the health care industry?

GC: After the large volume of health care data breaches in 2015 and the increasing awareness of the significant costs facing health care organizations relating to data breaches, I believe 2016 will find many health care organizations making cyber security one of their highest priorities. The industry will start to make use of the same cybersecurity technologies that other industries have been relying on for years, and I believe 2016 will be the beginning of the end of the stigma on the health care industry as the most vulnerable industry with the most valuable data.