How to Secure Consumer Protected Health Information

The black market sales of medical information is a lucrative business and has resulted in the healthcare industry being a target for cyber criminals around the globe. Additionally, the lack of security measures and resources in place throughout the health industry makes it an easy target. 

Why is health data targeted?

Consumer health data, also known as protected health information (PHI), is a target for many security breaches because it often sells for up to 10x more than credit card numbers compromised in similar attacks. A successful healthcare data breach also leaks access to:

• PHI
• PII
• Credit card information

It is an easy one stop shop for a number of data items that can be sold for big bucks on the black market. Criminals want access to this data in order commit insurance fraud, buy medical equipment and construct elaborate cases of identity theft.

What methods are used to access health data?

A recent Ponemon Institute study revealed the top security incidents healthcare organizations have experienced such as:

1. Lost/stolen device
2. Spear phishing
3. Web-borne malware attacks
4. Software vulnerability exploit (software was more than 3 months old)
5. Software vulnerability exploit (software was less than 3 months old)
6. SQL injection
7. APT
8. Spyware
9. DDoS
10. Zero day attack
11. Botnet attack
12. Clickjacking
13. Rootkits

Additionally, the top three root causes behind data breaches encountered by healthcare organizations include:

1. Criminal attack
2. Lost/stolen device
3. Unintentional employee action

How to prevent a healthcare data breach

While the root causes cannot be totally anticipated and prevented, there are strategies for minimizing the impact and consistency of occurrence if the right security processes are in place. First and foremost, the healthcare industry needs to recognize their faults and commit to changing their behaviors to reduce their risk. The majority of the respondents in the Ponemon study all remarked that more funding and resources need to be available.

Create a formal incident response/risk assessment plan

76% of organizations claim to allocate only 20% or less of their security budgets to incident response. While prevention plays a big part in business continuity planning, there is also a point where well-versed BC experts know that prevention measures will fail and there needs to be a tested strategy in place for responding and remedying the situation at hand. Based on this study there doesn’t seem to be that sense of strategy in healthcare organizations, especially since 44% of respondents admit to relying on ad hoc processes as their first means to completing a risk assessment after an incident occurs. So step one involves using the money you have to finalize a formal incident response and risk assessment strategy/plan.

This plan would include how your teams respond to the security incidents already identified above and who should be notified if an incident occurs. It would also address the process for reporting a lost/stolen device. These devices, even if you are in a BYOD environment, should be available for remote wiping and data destruction at the time the incident is reported (guidelines for which should also be outlined in the process).

Train your teams

The second part of this process is about making sure everyone is on board and understands how to carry out the outlined plans. You will need to train your individual teams on how to carry out their specific roles in the plans and the whole company on how to communicate across departmental barriers to move forward efficiently with an incident response plan.

Training doesn’t stop at understanding the process either. Training needs to be leveraged to combat the issue of employee negligence. If you don’t educate your employees on how to identity fraudulent emails, you can’t expect them not to fall victim to a spear phishing attack. There is no surprise that the top three security incidents healthcare organizations face are directly tied to employees’ lack of knowledge. Consistent security awareness assessments and training help to bring up your entire organization’s security environment and keep constituents’ data protected.