A handful of patients who were impacted by the recent Community Health Systems (CHS) data breach filed a class action suit against the healthcare giant in Alabama, and the company could be in store for even more in the wake of a data loss event affecting as many as 4.5 million people nationwide.
The fallout from the massive breach of personal information should be a call to action for the industry to make much needed investments in securing critical systems and devices before healthcare data breaches reach epidemic proportions.
Last week the FBI had issued a warning that the entire healthcare sector was at continued risk from criminal hackers, which followed another warning issued last April that cautioned the industry that its cybersecurity posture was lax in comparison to other industry sectors.
These warnings underscore issues raised by a report released last February by SANS and threat intelligence leader Norse Corporation titled Healthcare Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon.
The report covered a variety of healthcare-related organizations and found that exploited medical devices, conferencing systems, web servers, printers, and edge security technologies were all broadcasting malicious traffic.
In addition, the report noted a wide array of compromised devices ranging from radiology imaging software to firewalls and mail servers, with a significant number of compromises being due to remedial issues such as not changing default credentials, which increases the chance of a breach event.
The key takeaway from the CHS class action filing for the healthcare sector is that despite resource limitations, the potential cost of a breach is magnitudes greater than investing in security now.
As the SANS/Norse report points out, the 2013 Ponemon Cost of a Data Breach study demonstrated that expenses related to a breach such as incident handling, victim notification, credit monitoring and lost opportunities cost healthcare organizations about $233 per compromised record.
Additional recovery actions such as legal actions like the class action against CHS, systems recovery, new security control investments, and credit protection services for victims can actually push the cost much higher-as was the case of the WellPoint incident which reached an astronomical $142,689,666 in losses.
"A refreshed focus on security within health care is needed, one that meets compliance requirements without compromising security, addresses computing trends-such as cloud services or mobile devices-that make traditional network perimeters more porous, and finally, that focuses on security and privacy practices that mitigate the risks outlined in this paper," wrote Barbara Filkins, Senior SANS Analyst and Healthcare Specialist.
"Start with enforcing best practices and controls. A good starting point to implement and enforce best policies and practices is the Critical Security Controls (CSCs), a list of 20 items for effective network defense. Organizations should also consider standards for health care controls, such as two-factor authentication."
The report further recommends the following for healthcare organizations:
Know What's on Your Network: One of the first steps in the CSCs is assessment, which starts by gaining visibility into the enterprise and systems-including those nontraditional devices such as printers, VoIP boxes, personal medical devices and institutional medical instruments. Part of that assessment also involves determining the current state your systems.
Think Like an Attacker: At a minimum, devices with default passwords, insecure ports and other inherent risks pose attack surfaces that often are not being properly configured or monitored for vulnerabilities. Also consider physical pathways: The attacker could manipulate a vulnerable surveillance camera, and such devices are often attached to the organization's private network and allow easy access to and compromise of that environment.
Consider Your Network Pathways: Most of us understand the need for protecting the path into our devices, systems and networks from the outside. Ingress protection, however, is not enough if internal compromise is an issue. Organizations may need egress filtering-monitoring, controlling and potentially restricting the flow of information outbound from a network-to ensure that the unauthorized or malicious traffic such as presented in this report never makes it to the Internet. Cloud applications, particularly in the form of health care exchanges and medical and pharmaceutical networks, create additional attack surfaces attackers can exploit to gain access to protected patient medical and financial data. Organizations need new methods to examine and analyze the traffic flowing across their network in real time.
Assess and Attest: Assessment for system configuration and potential vulnerabilities should be an ongoing process of detection, repair, improvement and attestation that the improvements have been made. The federally defined "Meaningful Use" criteria call for providers or hospitals that have received funding under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program to attest to the protection of "electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities."