Last month, around 1.3 million records belonging to over half a million blood donor applicants were breached when the Australian Red Cross' web development agency Precedent left a database backup exposed on a public website. The venerable non-profit has since taken responsibility and apologized for the incident, despite being the fault of a third party agency. If anything, the mishap serves to illustrate that resilience—not stronger cybersecurity—is the key enabler of safe healthcare digitization.
The incident* is certainly not the most serious of security mishaps to befall the industry in recent years, as the breach was not the result of criminally motivated actions. Unfortunately, this is not the norm: a recent study by the Ponemon Institute found that 90% of healthcare organizations suffered a data breach in the past two years, with criminal attacks comprising the majority (50%) of these breaches. You've likely seen the driving figures behind the rise of financially-motivated attacks on healthcare: medical information is worth 10 times more than credit card data on the black market. Check out our 2016 CSTAR Report on Healthcare for more information regarding medical and healthcare-related data breaches.
Robert Lord, a fellow at cybersecurity think tank ICIT and CEO of patient privacy analytics firm Protenus, speaks to the plight of digital healthcare/medicine in a recent interview:
"As a nation, we are in a serious crisis right now. What we did was spend tens of millions of dollars rolling out electronic health records. We put very little thought into how we were going to protect that data. We digitized 300 million Americans' lives, but all that information is protected in a rather weak way. Unfortunately, hackers have decided that healthcare is a very soft target, and that protected health information is extraordinarily valuable."
When you use the internet, your computer has a conversation with a web server for every site you visit. Everything you submit in a form, any data you enter, becomes part of that conversation. The purpose of encryption is to ensure that nobody except you and the server you’re talking to can understand that conversation, because often sensitive information such as usernames and passwords, credit card data, and social security numbers are part of that conversation.
Resilient Models for the Healthcare Industry
Banking/finance and retail enterprises have been the traditional, long-standing targets of cybercrime; lessons learned from firms operating in these industries can therefore serve as viable models for healthcare organizations to not just survive, but thrive in increasingly hostile cyber threat landscapes. Stronger cybersecurity tooling is one part of the equation, but—implemented on its own—merely buys organizations a scant window between cyber attacks. For this reason, firms have gradually moved towards digital resilience, or a risk-based approach to dealing with inevitable data breaches. Security incidents can either have devastating or recoverable consequences—resilient firms are more likely to find themselves on the latter side of these two outcomes.
Volumes have been written on strategies for achieving digital resilience, but a practical starting point for aspiring organizations is the proper assessment of third-party risk. Again, banking/finance and retail enterprises have been taking up this key tenet of resiliency; medical firms and healthcare organizations should follow suit. Interestingly, another data breach last month literally at the convergence of healthcare and finance illustrates this point: the Commonwealth Bank of Australia's CBHS health fund suffered a data breach due to the security failures of an unnamed third-party firm. Fortunately, financial data and medical details were decoupled from the breached records—as a result, no member health information, bank account numbers, or logins/passwords were compromised.
In short, even the most well-respected and secure organizations can and will fall victim to cyber attacks, either due to their own direct security failures or unchecked third-party risk. UpGuard's resilience platform was designed to monitor for flaws in IT environments that could lead to data breaches and security compromises: misconfigured web server permissions, open ports, misplaced files, and more. Additionally, our CSTAR resilience scoring enables organizations to determine if third-party vendors are impacting their security posture negatively. To learn more, give UpGuard a spin on us or try out our risk grader for free today.
*Countless patients are in need of a life-saving gift that only takes about an hour to give, so please consider paying your local blood donation center a visit this holiday season.
Inside Microsoft’s Open Source And DevOps Initiatives For The Enterprise UpGuard 101: Verifying Windows Groups Top Retailers Who Should Know Better
If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself.
Read Article >
You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe.
Read Article >
The following is a list of 11 online retailers who really should know better when it comes to security.
Read Article >