Healthcare is the only industry in which internal threat actors are the biggest threat to an organisation, a recent study posits. The "Verizon Protected Health Information Data Breach Report" found 58 percent of healthcare-related cyber-security incidents involved insiders.
Workers driven by financial gains such tax fraud or opening lines of credit with stolen information accounted for 48 percent of those incidents; fun or curiosity in looking up the personal records of celebrities or family members accounted for 31 percent, and simple convenience accounted for 10 percent.
Corrupt insiders weren't the only threat to healthcare organisations. Of the incidents involving malicious code, the report found 70 percent were the result of ransomware, a figure similar across all business sectors.
In addition to the cyber-attacks, the report also found 21 percent of incidents involved lost and stolen laptops containing unencrypted personal health information (PHI) prompting researchers to recommend more employee education to ensure that basic security measures are put in place.
“An overall incident response (IR) plan should be established and include both internal stakeholders as well as external partners in areas of legal guidance and forensic investigative assistance,” researchers said in the report. “The ability to react quickly and efficiently can often make a difference in the level of impact an incident has on an organisation.”
Furthermore improvements should be made in the detection of potential security incidents and/or data, the report said.
To improve the threat landscape in the short run researchers suggested healthcare centres use full disk encryption, routine monitoring of record access, and build resiliency to combat ransomware attacks.
In the US Full Disk Encryption is also a part of the HIPAA Security Rule checklist and would help reduce risks in the event of a stolen laptop. Healthcare centres can also reduce their risks by improving their readiness to confront cyber-threats.
One of the best ways they can ensure they are prepared is by conforming to NIST Cyber-security Framework (CSF). Unfortunately the average NIST CSF conformance is only 45 percent for healthcare organisations, according to CynergisTek's "Improving Readiness: Meeting Cyber Threats" report.
“Assuming that the maximum potential is 100 percent, our average of 45 percent is not a particularly promising sign,” the report said. “While the NIST CSF is only four years old, the HIPAA Security Rule will turn 13 in 2018 and healthcare is still catching up.”
Academic medical centers seems to be on average more compliant with 65 percent followed by health systems at 56 percent, children's hospitals at 50 percent, short term acute care centers at 48 percent, and critical access centers at 18 percent.
“By hospital type, not surprisingly, the smaller, the lower the level of NIST compliance,” researchers said in the CynergisTek report. “This should be a reminder that we are all connected and while your organisation may have many of the NIST practices and guidelines in place, connecting with organisations that have less security raises your risk.”
While the type of facility made a difference in security, the correlations between budgets and security were a bit more obscure. While as a whole healthcare centers were of greater compliance the higher their budget, there were still discrepancies as centres with budgets less than US$ 50 million (£36 million) which had an average 27 percent conformance rate compared to a 16 percent average conformance rate for orgs with budgets between US$ 50 million (£36 million) and US$ 100 million (£72 million).
“Organisations with less than US$ 50 million (£36 million) in revenue scored significantly higher than those in the US$ 50 million (£36 million) to US$ 100 million (£72 million) range,” researchers said in the report. “Organisations in the range of US$ 500 million (£362 million) to US$ 1 billion (£700 million) in revenue scored higher than the next two tiers, and higher than any other revenue range.”
Researchers said that organisations must have a response plan in place, defined communication lines among appropriate parties, and the ability to collect and analyse information about the event. In addition they must recover with a coordinated set of restoration activities internally and with external parties that incorporate the lessons learned into an updated recovery plan, the report said.
In separate research the 2018 Thales Healthcare Data Threat Report found that only 30 percent of global healthcare organisations have remained untouched by data breaches. Worryingly 39 percent of these organisations have been breached in the past year alone. The majority of respondents, 70 percent, reported being breached in the past which is a 17 percent increase from 2016.