Why this post?
Over the past few months we have seen a number of reports on breaches of healthcare organizations and medical device manufacturers where the suspected or documented target was intellectual property data related to medical devices. Some of these recent cases have received wide press coverage.
As a result, the FBI has issued a warning to US healthcare companies that they may be the target of further cyberattacks (FBI warns healthcare firms they are targeted by hackers). The document indicated that several companies in the sector had been targeted and intellectual property, rather than personal data or PHI, may be the main target of the attacks.
"These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data" (FBI)
It is suspected that nation states and/or well-organized cybercrime organizations are behind these highly sophisticated and well-executed attacks. This is in line with a trend cybersecurity experts have been observing for a number of years – the trend towards politically and financially motivated attacks executed with unprecedented degree of stealth, determination, and precision.
In other words, cybersecurity is not what it used to be. Not by a long shot.
What it means for the Healthcare Industry
The healthcare industry has traditionally underinvested in security, yet at the same time we have seen breaches and attacks increase. Hackers focus on healthcare institutions because they are perceived as the easier target compared to other industries. We have seen focus on patient demographic information (i.e. identities), personal identifiers (social security, insurance, or medical record numbers), and medical data (PHI).
We have seen data being stolen for the purpose of financial or medical identity theft, insurance fraud, sale of information on the underground marketplace, blackmailing of patients, financial gain, and ransoming of healthcare providers. And now we can add to that list corporate espionage and intellectual property theft.
The recent attacks and breaches highlight the risk of companies in the medial device, biotech, and pharmaceutical industries, as well as their medical research and clinical trial partners – i.e. the hospitals and clinicians they are cooperating with. This does move the discussion to another, higher and very concerning level.
The security industry has, for the past years, developed the concept of “Defense in Depth” … meaning that security as a point solution is no longer good enough. Not only do we need security across all layers, those security layers need to be integrated to allow reliable detection, coordinated defense, and efficient response.
As cyber criminals are getting better, we need to up our game, too. Unfortunately, the bad guys need to be right only once, we need to be right every time. Hence, we have developed concepts of layered security, defense in depth, edge to endpoint, and lastly the importance of selecting the right security partner.
Symantec can help you to protect your infrastructure and information on all levels through:
- Endpoint Security: Symantec Endpoint Protection, Mobile Security Solutions, and specific solutions for mission critical systems (e.g. servers hosting clinical research and other intellectual property data) or difficult to protect and patch systems (e.g. COTS-based medical devices).
- Data Loss Prevention: to understand data location, data access and usage so to allow for the appropriate protection of such data.
- Encryption: to protect critical information on endpoints, fileshares, in email, or data being transmitted.
- Altiris IT Infrastructure Management: to discover IT assets, assess IT compliance, identify vulnerable systems, and manage configuration, patching, and upgrades.
- Validation and ID Protection Services: to enable strong (two factor) authentication and reduce the risk external access channels being exploited.
- Symantec Web Gateway: Backed by Symantec Global Intelligence Network, it provides multiple layers of malware protection and URL filtering, securing web access and detecting malware related traffic.
- Symantec Mail Gateway or Hosted Email Services: to block email-based malware or spam and reduce the risk of phishing attacks.
- Security advisory, implementation, assessment and consultancy services.
- Security Education: to make sure your employees understands today’s security threats and their obligation to prevent e.g. spear-phishing attacks.
- Managed Security Services: Defend against today’s sophisticated cyber threats, accelerate detection, and optimize response to relevant security events.
Large breaches can be costly and result in fines, remediation costs, class action lawsuits, loss of reputation and trust, and can affect your business and market opportunity if intellectual property is affected.
As a security professional, that makes me wonder if not paying attention to what is happening in cybersecurity today, not understanding the changing threat landscape, and not being prepared for modern threats could be considered 'willful neglect'?
Traditionally, lost or stolen equipment (laptops, thumb drives, backup tapes) were the biggest breach risk in healthcare, and looking at some of the breach statistics, we are still struggling to prevent. Yet, in reality, the bad guys are stepping up their game rapidly and healthcare is now in the crosshair, leading to a growing gap between threats and the industry's security capabilities.
The paradigm is shifting and we need to be ready to deal with these new risks now, not at some point in the future. In a recent interview, John Halamka, CIO Beth Israel Deaconess Medical Center, stated that: “to guard against hackers, health care CIOs are investing in security like never before.”
We have to - the gap is getting bigger as I am writing this.
For a further discussion on healthcare breaches, see also Kevin Haley's blog post here: Responding to Data Breaches in the Healthcare Industry