As of this writing, at least eight organizations have paid HIPAA fines this year. A health center in Colorado was levied a fine of $400,000 for its lack of a security management process to safeguard electronic Protected Health Information (ePHI). A wireless health services provider that inadvertently allowed disclosure of ePHI paid out $2.5 million. And a nonprofit healthcare corporation in Florida settled potential security and privacy violations for $5.5 million.
HIPAA requirements are detailed and particular about how to store and transmit ePHI. The HITECH Act expands the scope of privacy and security protections available under HIPAA, increasing the potential legal liability for non-compliance and providing for more enforcement. With industry-specific compliance requirements driving security spending and deployment, it’s natural to assume that best practices for securing access to sensitive data are different from vertical to vertical.
However, that assumption may be changing. According to findings from Fortinet’s Global Threat Landscape reports, much of today’s attack surface is shared across industries. This article describes today’s horizontal attack surface and shares best practices on how security leaders can mitigate network threats.
Cyber Crime Matures and Expands
Healthcare organizations are adopting virtualization technology such as virtual private datacenters. They’re moving to the cloud. They’re adopting more and more IoT devices. More smart devices are connecting to the network. As they do so, the threat landscape continues to expand. The upshot is an increased overall potential of attack vectors that adversaries can take advantage of.
As this infrastructure broadens, healthcare organizations are losing visibility and control into that infrastructure. Cyber criminals will use these blind spots to their advantage, and their success rate in penetrating the network will be much higher. At the same time, the cyber crime ecosystem is maturing. Crime-as-a-Service infrastructures enable adversaries to operate on a global scale at light speed. Malicious actors are using automation and sophisticated hacking tools that will increase the attack volume.
Three Key Trends
One report found that the median ratio of HTTPS (encrypted) to HTTP (non-encrypted) traffic hit a high mark of nearly 55 percent. This means that a higher percentage of communications are now encrypted. From a privacy perspective, this is great news. However, from a security perspective, organizations—including those in the healthcare industry—don’t have visibility into that particular communication channel, which means that particular channel could be malicious. The HIPAA Security Rule stipulates that ePHI, whether at rest or in transit, must be encrypted – which, ironically, place ePHI at potential risk due to lack of visibility. Adding to the problem, adversaries are using encrypted communications more and more as well, using what was created as a security measure to hide their activity.
Encryption is the first important trend discovered in the latest report. The second is an increase in cloud applications. The median number of cloud applications used per organization was 62, which is roughly one third of all applications detected. As healthcare organizations use more and more of these cloud apps, their data is going to reside in the cloud. Again, this creates a loss of visibility into what’s happening to that data.
The third trend, gleaned from cluster analysis, is that much of the attack surface is shared across all industries. With the exceptions of education and telco, the rest of the industries studied share that same attack surface. The analysis revealed that many of the same attack vectors bridged all regions as well as all industries. This makes it much easier for cyber criminals to leverage their automated tools across the entire attack surface that spans most industries than they would if the attack surfaces were different. The threat problem is truly a global as well as a horizontal problem now.
In light of attack capabilities that transcend traditional boundaries of region and industry, there are several best practices that will help healthcare organizations mitigate network threats.
First, organizations must have visibility into the assets that they are responsible for securing. This involves reducing the attack surface, ensuring good vulnerability and patch management processes are in place, and—equally as important—understanding how assets are communicating with each other. It also involves situational awareness:
a high degree of visibility into the network paired with a high level of understanding of the threats that the organization is facing.
Second, create a strategy for combatting the automated cybercrime ecosystem. Humans cannot operate at the speed and scale required to overcome automated threats, so organizations must fight automation with automation. That means
getting technology controls working together and communicating across all attack vectors.
Finally, organizations will benefit from building relationships with peers outside of the region or the industry they operate in. Threat intelligence and successful mitigation tactics can be exchanged for the good of all.
Evolving the Security Landscape
Healthcare organizations today face the same cyber threats as almost every other industry – the attack surface has truly become horizontal. Visibility and control over today’s infrastructures are diminishing as the number of potential attack vectors continues to grow across the expanded network landscape. This improves criminals’ chances of success, but IT healthcare professionals can fight back with knowledge of the trends affecting the network and the implementation of sound practices – particularly automation. Going back to basics and expanding relationships beyond traditional boundaries will help create a more secure network.
About the author:
Anthony Giandomenico is an experienced information security executive, evangelist, entrepreneur and mentor with over 20 years of experience. In his current position at Fortinet, he is focused on delivering knowledge, tools and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security. Anthony works closely with FortiGuard Labs and Fortinet System Engineering to respond to advanced threats as they break – and proactively plan beforehand.