This article orginally appeared on Forbes.
- $1,000 per record is the Dark Web's going price for protected healthcare information (PHI), with credit profiles and credit data being the next-highest-priced data at $20 - $25 per record.
- According to IBM's Cost of Data Breach Report, the average healthcare breach costs $7.13M, the highest of any industry today and 10.9% higher than last year.
- According to the latest IBM Cost of Data Breach Report, the average time to identify a healthcare provider's breach is 329 days.
Healthcare breaches are a digitally driven pandemic proving to be just as insidious as Covid-19. In the U.S. alone, there's a high number of cases, reaching 430 breaches comprising 21.4M patient records as of today. The U.S. Department of Health and Human Services (HHS) Breach Portal provides searchable categories of healthcare breaches, quantifying just how fast-spreading this digital pandemic is. From 66 breaches affecting 500 patient records as of late February, there has been nearly a seven-fold increase in breaches alone in eight months. Key takeaways from looking at the data include the following:
- The HHS data available from the portal shows how the digital pandemic is spreading, with nearly half (204) of breaches getting started on devices and hardware. One hundred seventy three of the 430 breaches began with an e-mail phishing attempt that succeeded in obtaining privileged access credentials. Two hundred four of the breaches originated from devices, including laptops, portable electronic devices and network servers, all pointing to the need for greater endpoint security.
- Cybercriminals know stolen healthcare laptops are very lucrative as there are, on average, over 69,000 available PHI records on each one. Looking for a big payoff from fencing stolen PHI records on the Dark Web, cybercriminals are increasingly targeting laptops. One of the largest laptop-based breaches this year compromised 654,000 patient records after a laptop from the Health Share of Oregon was stolen from a transportation vendor who works for the agency. The records contained patient names, contact details, dates of birth and Medicaid ID numbers.
- Healthcare providers' reliance on legacy paper and film processes is responsible for 47 breaches this year. The processes that create paper and film records often have multiple endpoints exposed, making the entire process of creating and storing them easily hacked or stolen. Over 10% of healthcare breaches this year happened because endpoints are still entirely manual-based. It's time for the healthcare industry to step up and get more automated, starting with endpoint security that can create more resilient, persistent connections to every laptop.
Interested in learning more about how healthcare providers are taking action against the more aggressive, targeted cyberattacks and navigating this digital pandemic, I asked a friend of mine, Steve Spadaccini, Vice President, Worldwide Sales Engineering at Absolute Software, for his insights. Steve has over 25 years in cybersecurity and is advising healthcare providers on how they can thwart breach attempts, with a strong focus on endpoint security today. Here are the key insights from our conversation:
- To successfully close the cybersecurity gap in their organizations, healthcare providers need to take a multifaceted strategy to endpoint security, starting by improving endpoint persistence and progressing to geofencing. Securing laptops and locking them if they're lost or stolen is key to effective endpoint security. There'd be over 829,000 PHI records secure today if healthcare providers whose laptops had been stolen had been immediately frozen. "Cybercriminals target healthcare executive's laptops because they know they can gain access to more internal systems that way," Steve said. That’s why, he says, healthcare providers ideally need to have an unbreakable two-way connection to each endpoint that delivers full visibility into each laptop's applications, data and asset health. Second, Steve tells healthcare providers that it is important to create an adaptive defense layer by notifying IT of where devices are and when security applications are removed or corrupt and triggering automatic reinstallation. Finally, geofencing allows healthcare providers to keep track of laptops and ensure they're still in the facilities or with the employees who are authorized to use them. "Having resilient endpoints, with an undeletable digital tether, helps you know what's going on with very laptop, making it possible to keep each one updated and, if necessary, rebuild the entire software image remotely," Steve said. Multiple cybersecurity vendors are looking at how to provide endpoint resilience, including the ability to rebuild the system remotely, with Absolute being the market leader globally in this area today.
- Resist the myth that endpoint security must be a one-size-fits-all strategy, especially in healthcare and realize compliance must adapt as a health provider’s business model changes. Steve cautions that the more a given industry has tight regulatory compliance requirements, the more likely companies will attempt to save some time by imitating each other's approach to endpoint security. "I think a lot of times in healthcare, providers buy solutions that someone recommended to them from another CIO or CTO and they try to make them work because the other ones had success… and then they can't get to the same level of success," Steve said. He advises healthcare providers to define their unique approach to endpoint security first and then adjust to strengthen the areas where tools are not scaling internally today. Each healthcare provider faces a different set of challenges, so it's best to do an internal audit first to see where the strongest and weakest links are. Steve emphasizes that healthcare providers are looking at how endpoint security can help achieve and sustain HIPAA compliance.
- The identities, personas and roles endpoints protect in healthcare are the real network perimeters today, not the legacy trusted and untrusted domains of the past. BYOD adoption is accelerating in healthcare, creating more unique endpoint security challenges this year. It's a given all BYOD devices will only access healthcare systems and records over VPNs, but that's not enough to keep each endpoints secure. "You've got to be sure that the local system is not storing PHI and also have access to wipe and brick the system if it's lost or stolen, which we've had to do on occasion for healthcare providers who send devices out for refurbishment that end up getting stolen," Steve said. In 2021, healthcare providers will rely on endpoint resilience and persistence more than ever, as laptop thefts are predicted to soar given what a goldmine they are for PHI data – the most valuable on the Dark Web. Bricking a stolen laptop before patient data is compromised is the goal many healthcare providers want to achieve now and will priority in the coming year. "Healthcare providers are facing budget constraints going into 2021, which means less will be spent on endpoint agents… which means they need device-level control more than ever before," Steve said. Endpoint security management that contributes to better IT asset management has the inside edge as CIOs want to make every asset last as long as possible.
- For healthcare providers to thwart breaches, their endpoint security strategies must include the three core criteria of persistence, resilience and always-on visibility to improve asset management and get a 360-degree view of all endpoints. Achieving greater persistence and resilience across all the endpoints in a healthcare provider needs to span multiple, often incompatible platforms by relying on the hardware level for consistency. Because Absolute is already embedded in the BIOS of Dell, HP, Lenovo and 23 other leading manufacturers' devices, healthcare providers are relying on their platform as the single source of truth needed to protect personal data and help achieve HIPAA compliance. In practical, pragmatic terms, when any healthcare provider has a single source of truth to operate from, IT and cybersecurity teams know alerts, exception reporting and geo-fencing violations are accurate, real time and must be acted on. That is one of the most actionable, practical benefits of having an undeletable digital tether to every endpoint, saving thousands of hours a year and potentially hundreds of thousands of PHI records.
A CIO I recently spoke with from a local financial services firm says that the most valuable data to her today is knowing the true state of every endpoint. “What I need is a 360-degree of every endpoint as an asset and a threat surface," she said. She's finding that software updates often overlap or conflict with each other, or can create havoc with VPNs working correctly for remote employees and says it can be a major time sink if not done well. Her focus is now on simplifying endpoint security and seeing the true state of each asset as well. Absolute’s patented Persistence technology is one solution she's looking at today as software-based endpoints alone can't provide the complete visibility and 360-degree view she needs.