4 Best Practices for Security Hygiene in the Healthcare Sector
s the world moves into an increasingly digital state, issues surrounding cybersecurity have grown exponentially as hackers and bad actors find new ways to infiltrate our networks and steal our most sensitive data. Over the last few years, hacking and IT security incidents have steadily risen, and many organizations — regardless of industry — are struggling to defend their network perimeter from cybercriminals looking for vulnerabilities.
One industry that has been heavily targeted is healthcare. Under HIPAA rules, hospitals, health insurance companies, clinics, nursing homes and pharmacies must comply with requirements to protect the privacy and security of health information, but breaches are still happening at an alarmingly rapid rate.
Every year since 2013, the healthcare industry has witnessed an increasing number of hacking incidents, and 2015 was especially troublesome as more patient and health plan member records were exposed or stolen that year than in the previous six years combined — and by a wide margin. In 2015 alone, more than 113 million records were compromised, nearly 79 million of which were stolen in the attack on the United States’ largest health insurance company, Anthem, resulting in the largest settlement ever for a data breach ($115 million). The infographic below (Clearwater Compliance, LLC) illustrates more statistics about the Anthem data breach and highlights that 94% of healthcare breaches are due to human error, an obvious area ripe for automation.
According to the 2018 Cost of a Data Breach Study, healthcare data breach costs are the highest among all industries for the seventh straight year. The annual study, conducted by Ponemon Institute and sponsored by IBM Security, also revealed that the average cost of a data breach in the U.S. has hit an all-time high of $7.35 million, a five percent increase compared to the year prior.
In the U.S. alone, the average cost for each lost or stolen record containing sensitive and confidential information, regardless of industry, is $148, but for the healthcare industry, that price tag leaps to $408 per record — more than 2.5 times the global average across industries. And with the number of healthcare hacking incidents on the rise every year since 2013, the financial impact of breaches in the healthcare industry is increasing as well.
Due to the additional information found in a medical record that isn’t readily available to hackers, health records offer more value to hackers than credit card records or Social Security numbers. In fact, some experts estimate the value of an individual stolen medical record to be at least $60, as elements of the data comprising the medical record (name, Social Security number, birthday) can’t easily be changed. Compounding this issue, the attack surface is growing as the proliferation of IoT devices in the healthcare industry ensures the presence of more connected medical devices than ever before.
Today, providers are required to adopt electronic health records, whether or not they are financially prepared to invest in cybersecurity. Consequently, many healthcare providers are turning to outdated or clunky software systems to store patient records, exposing themselves and their patients to hacking risks.
With hacking and IT security incidents on the rise — and more than a quarter of health care breaches in the first quarter of 2018 caused by such incidents — the importance of patching software and operating systems has never been more pronounced for health care organizations. In fact, arguably the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber attacks came with last year's WannaCry ransomware outbreak.
While no patient data was compromised as a result of the global cyberattack, a large number of National Health Service hospitals and surgeries in the U.K. were forced offline as systems became infected. Later analysis found that simple patching could have prevented WannaCry’s massive impact.
The traditionally time-consuming and burdensome practice of patching needs to be prioritized by security and IT departments at hospitals and health care organizations. Staying current with patches for operating systems and third-party applications is the only way companies can fully prevent attacks based on known vulnerabilities.
While many cybersecurity teams already dedicate a sizable portion of their staff to vulnerability response, more people does not equal better security if patching processes are broken. Organizations often struggle with patching because they use manual processes and can’t prioritize what needs to be patched immediately.
A few ways health care organizations can improve their security posture is by taking inventory of vulnerability response capabilities, defining and optimizing end-to-end vulnerability response processes and automating as much as possible. Today, the solution that address all of these improvements appears to be cloud-native patch automation.
Enter Automox. Our cloud-native agent and policy engine allows you to control your level of patch management automation, flow processes and configuration enforcement — all from a single dashboard. The lightweight agent can be installed for all of your Windows, Mac OS or Linux systems in mere minutes and automatically patches vulnerabilities based upon your configured policies.
Ultimately, hospitals and health care organizations can significantly reduce their chances of being breached by practicing basic security hygiene and patching vulnerabilities in a timely fashion.
Four Best Practices For Security Hygiene
1. Keep Operating Systems Patched
Modern networks have multiple operating systems, utilize hybrid environments, and support remote employees. Research shows that 50% of Windows operating systems are running outdated versions and 40% of Apple devices are operating with outdated versions, leaving them susceptible to attack long after security patches were available. Having a regular process in place for checking for, testing, and applying patches to all OSs is the first step to protecting an entire infrastructure.
2. Update Software Patches ASAP
Apply security updates for software as soon as possible following their release. If organizations aren’t prepared to apply patches and updates regularly, it’s just a matter of time before vulnerabilities in network and applications will be exploited. Delaying patching is a risky proposition and can be minimized with automated patch solutions that deploy patches as soon as they become available.
3. Manage 3rd Party Software
Over 75% of vulnerabilities on the average PC are due to 3rd party applications, and major data breaches (including the Equifax hack) were caused by unpatched vulnerabilities found in 3rd party software. One of the reasons 3rd party software is left unpatched is lack of visibility around which applications are present within a large network. With the growth in cloud-native applications that can be installed by any employee, it is critical that IT departments track and patch all 3rd party software on their networks.
4. Manage Endpoint Configurations
For strong endpoint security, you need a complete and continuously updated inventory of all devices, including PCs, laptops, IoT wares and peripherals. Cataloging all of these endpoints and capturing off of their details gives you complete visibility into all of your endpoints, their hardware specs, installed software, locations, users, vulnerabilities and configurations. Effectively monitoring your endpoint vulnerabilities is key to ensuring infrastructure security.
As cybersecurity strategies mature and innovative solutions such as Automox continue to emerge, technology organizations that tie their cybersecurity efforts to real business needs and objectives will gain confidence in their ability to deal with the increasingly sophisticated threats that occupy today’s ever-changing and dangerous digital landscape.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.