Updated on April 30, 2018 by UpGuard
Last month, around 1.3 million records belonging to over half a million blood donor applicants were breached when the Australian Red Cross' web development agency Precedent left a database backup exposed on a public website. The venerable non-profit has since taken responsibility and apologized for the incident, despite being the fault of a third party agency. If anything, the mishap serves to illustrate that resilience—not stronger cybersecurity—is the key enabler of safe healthcare digitization.
The incident* is certainly not the most serious of security mishaps to befall the industry in recent years, as the breach was not the result of criminally motivated actions. Unfortunately, this is not the norm: a recent study by the Ponemon Institute found that 90% of healthcare organizations suffered a data breach in the past two years, with criminal attacks comprising the majority (50%) of these breaches. You've likely seen the driving figures behind the rise of financially-motivated attacks on healthcare: medical information is worth 10 times more than credit card data on the black market. Check out our 2016 CSTAR Report on Healthcare for more information regarding medical and healthcare-related data breaches.
"As a nation, we are in a serious crisis right now. What we did was spend tens of millions of dollars rolling out electronic health records. We put very little thought into how we were going to protect that data. We digitized 300 million Americans' lives, but all that information is protected in a rather weak way. Unfortunately, hackers have decided that healthcare is a very soft target, and that protected health information is extraordinarily valuable."
Resilient Models for the Healthcare Industry
Banking/finance and retail enterprises have been the traditional, long-standing targets of cybercrime; lessons learned from firms operating in these industries can therefore serve as viable models for healthcare organizations to not just survive, but thrive in increasingly hostile cyber threat landscapes. Stronger cybersecurity tooling is one part of the equation, but—implemented on its own—merely buys organizations a scant window between cyber attacks. For this reason, firms have gradually moved towards digital resilience, or a risk-based approach to dealing with inevitable data breaches. Security incidents can either have devastating or recoverable consequences—resilient firms are more likely to find themselves on the latter side of these two outcomes.
Volumes have been written on strategies for achieving digital resilience, but a practical starting point for aspiring organizations is the proper assessment of third-party risk. Again, banking/finance and retail enterprises have been taking up this key tenet of resiliency; medical firms and healthcare organizations should follow suit. Interestingly, another data breach last month literally at the convergence of healthcare and finance illustrates this point: the Commonwealth Bank of Australia's CBHS health fund suffered a data breach due to the security failures of an unnamed third-party firm. Fortunately, financial data and medical details were decoupled from the breached records—as a result, no member health information, bank account numbers, or logins/passwords were compromised.
In short, even the most well-respected and secure organizations can and will fall victim to cyber attacks, either due to their own direct security failures or unchecked third-party risk. UpGuard's resilience platform was designed to monitor for flaws in IT environments that could lead to data breaches and security compromises: misconfigured web server permissions, open ports, misplaced files, and more. Additionally, our CSTAR resilience scoring enables organizations to determine if third-party vendors are impacting their security posture negatively. To learn more, give UpGuard a spin on us or try out our risk grader for free today.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.