It is no surprise that hackers will always target high value, critical data, so amongst some of the most targeted industries is healthcare; the highly sensitive patient data stored in this industry creates a playground ready for waiting hackers to exploit. In the past five years alone, healthcare breaches have grown in both frequency and size, with the largest impacting as many as 80 million people.
Last year, the NHS suffered significant disruption from WannaCry, which bought the vulnerability of the healthcare sector into sharp focus. This attack contributed to 1,300 hours’ of downtime over the last three years, but the problems are reflected globally; in the US,45% of ransomware attacks in 2017 targeted healthcare organisations with over 175 million records being exposed or stolen since 2009.
With many organisations preparing to go fully digital over the next few years, healthcare services must learn from recent data breaches if they are to secure their infrastructure against cyberattacks. But what can the healthcare industry do to ensure that they are securing patient data and protecting their networks?
It’s a case of when, not if
For every organisation that deals with data – be it customer, financial or patient data – the reality is that they will experience a data breach at some point. It’s not only the increasing sophistication of the methods used by hackers, but equally as important, it’s the fact that healthcare data is no longer in one place, and no longer accessed within the confines of a facility.
Whilst patient data used to reside in hospitals and doctors’ offices, today’s distributed healthcare system spans the nation and sometimes even across the globe, across facilities, public clouds and private clouds. This critical data is not just distributed to healthcare staff, but to third parties whose devices and policies cannot be easily controlled. The attack surface is expanding considerably and connected mobile devices and Internet of Things (IoT) devices have become commonplace in healthcare settings: just the sheer number of medical, clinical, IT and admin staff needing access to patient data, at all times and in various settings, makes the legacy security measures that were once put in place now unable to cope with today’s complex and diverse network.
And it only takes one compromised device to enable a hacker to penetrate and then move laterally across a network, infecting potentially thousands of devices and bringing the network to a standstill. Some NHS Trusts were forced to turn off their network to prevent infection during the WannaCry attack. No organisation can afford to simply ‘turn off’ in order to prevent a compromise.
A new mindset: start with security
Hospitals and healthcare organisations must look beyond the network infrastructure and instead start with a security overlay that will cover the networks, independent of its infrastructure, rather than taking a narrow approach of building the strategy around the infrastructure. From a data security perspective, the network must become irrelevant, and with this flows a natural simplicity in approach.
Healthcare organisations need to consider innovative approaches such as Layer 4 encryption which renders the data itself undecipherable while in transit, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows.
With cyber threats evolving all the time and cyber attacks ongoing, healthcare organisations can substantially reduce the likelihood of a data breach occurring by adopting robust security strategies designed for today’s more complex, distributed and hybrid networks. With such critical and sensitive patient data at risk, healthcare organisations really can’t afford to take the risk.
Paul German, CEO at Certes Networks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.