From efficiently diagnosing ailments and delivering point-in-time clinical services, to financial billing for insurance purposes, patient data is a vital and necessary component of modern healthcare. Each year, the digitization of our medical information becomes more pervasive as electronic health record systems, cloud services, mHealth technologies, and IoT systems converge to optimize the patient experience and treatment outcomes. However, more systems storing, processing, transmitting, and/or maintaining healthcare information can quickly lead to a corresponding increase in organizational risk if not diagnosed and appropriately managed. Cybercriminals and malicious insiders have long prized patient information due to the breadth of fraud opportunities it presents. Since patient data is rich with personally identifiable information (“PII”), financial and insurance details, and of course, the very medical data that makes each of us unique, it can be monetized to engage in medical identity theft and fraud. Currently, these risks are being amplified given the global Covid 19 pandemic – as patients seek treatment, their information is brokered at wire speed across numerous endpoint devices within the point of care cycle, each of which could represent an opportunity to compromise the chain of custody due to inadequate security and privacy safeguards.
Effectively defending patient data has long been a challenge for covered entities, for example, looking at the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal indicates that healthcare-based organizations are being attacked and compromised with ongoing frequency. In 2020 alone, over 22-million U.S. patient records were breached, while “Non-Hacking” incidents comprised 82% of the OCR reported breaches by type, by volume of records accessed, 93% were related to a “Hacking/IT Incident” such as the compromise of a network server or email client. So how can you as a cyber practitioner defend patient information and healthcare systems in a responsible and defensible way? By disrupting the attacker’s return on investment through the use of cyber hygiene best practices.
Nearly all attacks exploit inadequate cybersecurity controls such as unpatched systems and applications, non-hardened medical device configurations, and insufficient logging and monitoring, to name a few. Given the speed of healthcare operations and the fluidity of patient data, expected safeguards can be missed and cyber defenders quickly overwhelmed with competing priorities of regulatory compliance demands and maintaining network situational awareness. To meet this challenge, the CIS Controls provide a prioritized list of cyber hygiene best practices based on current offensive tactics, techniques, and procedures to inform defensive countermeasures specifically designed to block known cyber-attacks and disrupt the attacker’s ROI.
The difference between a significant and minor breach is the data impacted. Understanding where critical data, such as patient information, resides within the organization is essential. Once this is understood, the CIS Controls provide a cost-effective, measurable, means of technical cyber hygiene automation.
· Porter, G. (2016). EHR Vulnerability Reporting: A Cause for Concern? [online] sans.org. Available at: https://www.sans.org/webcasts/ehr-vulnerability-reporting-concern-102670
· Porter, G: (2014). Health Care Data For Sale: Now What? [online] sans.org. Available at: https://www.sans.org/webcasts/98400