The Ponemon Institute just released some unsurprisingly bleak findings in its annual study on healthcare data privacy/security, including data showing deliberate criminal attacks now accounting for most medical data breaches. The report goes on to illustrate how the healthcare industry— sitting on a treasure trove of valuable data— is ill-equipped to counter these attacks. Perhaps forward-thinking enterprise healthcare leaders should start considering DevSecOps as a viable strategy for surviving the perils of the information age.
That's right— just as DevOps is beginning to settle into standard IT vernacular, yet another term is making its way to the forefront. DevSecOps— also known as SecDevOps or DevOps security— is the integration of DevOps concepts and methodologies with security, incorporating the proper security tools and processes in every part of the DevOps pipeline or toolchain. As its name implies, DevSecOps extends the values of DevOps by promoting collaboration and information un-siloing between security, development, and operations. These ideals are also highly transformational to industries outside of software development; arguably, no industry needs transformation more right now than healthcare. Industry research firm Triple Tree aptly sums up the industry's current dire state:
“Despite its size and growth trajectory, the healthcare industry is plagued with large-scale problems and inefficiencies that are prompting a massive transformation in how care is accessed, delivered, and reimbursed. The fundamental challenges confronting healthcare have created opportunities for companies with innovative technology and services that address the most costly problems.”
Sounds like a job for DevOps, but is DevOps up for the challenge on its own? If the last few months are an indication of things to come security-wise, the healthcare industry requires something more rugged. The high profile Anthem and Primera/Blue Cross security compromises earlier this year were the biggest data breaches on industry record, highlighting the lack of security preparedness in even the largest healthcare entities. Clearly, DevSecOps holds much promise for healthcare organizations looking to incorporate security, operational efficiency, and cross-functional collaboration at scale.
Analysis of The Ponemon Institute's report yields some clear cases for DevSecOps. The research includes 90 healthcare organizations and 88 health-related associates that regularly use and disclose private, personal health information. Here are some notable data points from the study:
For the first time, criminal attacks are the primary cause of data breaches in healthcare.
Since criminal attacks comprise the majority of healthcare organization data breaches, IT security measures must evolve to combat an increasingly sophisticated foe. Standard security tools that provide IDS/IDPS and firewall functionality can be bolstered with solutions like UpGuard for comprehensive vulnerability scanning and monitoring.
91% of healthcare organizations have had patient data stolen or lost in the past 24 months.
Despite federal regulations like HIPAA providing strict oversight and guidance on healthcare data privacy, most healthcare organizations continue to lose patient data through data breaches. Clearly, current healthcare IT control mechanisms are ineffective for mitigating both unintended/accidental data loss as well as criminal intrusions.
Over half of healthcare organizations experienced incidents resulting from software vulnerabilities over 3 months old. 45% experienced incidents resulting from software vulnerabilities less than 3 months old.
The healthcare industry’s ability to effectively manage vulnerabilities is a critical area of concern here, as IT is directly responsible for ensuring systems are up-to-date and patched. Unlike lost/stolen devices, spear phishing, and web-borne malware attacks, vulnerability exploits are more easily and directly preventable through continuous security monitoring provided by DevSecOps tools like UpGuard.
69% of healthcare organizations discovered data breaches through audit and/or security assessment activities.
Note that percentages around “data breach discoveries made through continuous security monitoring and assessment” are noticeably absent. Healthcare organizations clearly lack a structured mechanism for validating security postures on an ongoing basis. And though these statistics highlight the importance of continually assessing and bolstering one’s security profile through required audits and post-incident assessments, healthcare organizations’ methods for assessing risk are problematic.
61% of healthcare organizations interviewed do not have an automated mechanism for assessing risk following a security incident involving electronic documents.
Most healthcare organizations are using ad hoc processes, manual efforts, and internally-developed tools for risk assessment following security incidents. Troublesome, to say the least. This not only casts serious doubts around the accuracy and effectiveness of forensic analysis and remediation efforts, but also around preventative measures taken to prevent future data breaches. DevSecOps tools like UpGuard can provide comprehensive insight into post-breach changes: what ports were opened, what files were changed, what services were started/stopped. By offering a comprehensive view of a security incident, the platform enables healthcare organizations to close their existing security gaps quicker and more easily. Furthermore, UpGuard provides vulnerability assessments using up-to-date vulnerability definitions, giving them the ability to accurately gauge the strength of their security models against the latest threats.
Some additional troublesome figures from the report:
Data breaches are costing the healthcare industry an estimated $6 billion per year
Over 90 percent of healthcare organizations in the study had a data breach
40 percent had more than five data breaches over the past two years
The average estimated cost of a data breach for healthcare organizations is over $2.1 million
Half of all organizations have little or no confidence in their ability to detect all patient data loss or theft
A scant 40 percent of healthcare organizations is concerned about cyber attackers
So can DevSecOps save the healthcare industry from a dark, threat-laden future? Very likely, though at the most basic level— continuous security monitoring and CM will suffice for starters. UpGuard was designed to alleviate many of the specific issues highlighted in this report— problems that when left unremediated can and will lead to a data breach.
So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Even today, the risk of data breaches in particular threaten to hamper business innovation. So what is cyber risk, and what can be done about it?