05 Jan 5 Strategies to Prevent Security Breaches
*Originally published in Executive Insights
Last year’s litany of patient data mega-breaches hit some of the most well-resourced and advanced healthcare entities in the country, including Anthem, Beacon Health, CareFirst, Community Health Systems, Premera and others. Experts conclude that it’s likely that others remain unaware of infiltrators on their networks as well.
“Most reports characterize these attacks as ‘sophisticated,’ but in truth the majority of methods used are Information Age-old and well-established ways to hack a network,” says Aaron Hayden, IT security analyst at CliftonLarsonAllen (CLA), a company that regularly audits security at healthcare organizations.
The pathway attackers used to gain footholds on these organizations’ networks was similar, Hayden explains. Generally an attacker asked for, and was granted, access through social engineering. For Premera, attackers registered a domain typographically similar to premera.com through an anonymous registrar. (Anthem and others were victims of identical methods.) Next, they created a website designed to mimic the company’s official pages. Then they sent a single disguised email message that tricked the recipient into divulging credentials that allowed the attackers to connect to the internal network.
Once attackers gained access, they had nearly a year to pivot around the network, escalate access privileges and siphon data from unencrypted databases without detection. Streams of patient data were exfiltrated from the corporate networks into dark corners of the Internet. So far, the patient data haven’t surfaced for sale, nor have any been clearly used for further attacks. “It appears attackers weren’t stealing data for an auction,” explains Hayden, “They probably took it to facilitate future hacks.”
Remembering Your Reputation
No doubt protecting patient data must be the upmost priority for U.S. healthcare entities challenged to create, process, archive and share an expanding scope of patient health records. Secure data management must be done in consideration of regulatory codes and pressure to operate with increased efficiency, while in an environment of unprecedented threats to safeguarding protected information.
Meanwhile, “Healthcare executives must consider another potent, and often more far-reaching risk of suffering a mega-breach,” explains Casey Boggs, president of LT Public Relations, a communications firm that specializes in healthcare, legal and crisis communications. “If patient data is breached, the hospital’s reputation is immediately jeopardized. The public perception of the healthcare provider creates an unquantifiable loss that requires an action plan as solid as any cybersecurity program.”
A well-defined risk management plan ensures an organization allocates resources where they are needed most, meets the objectives of regulation, achieves cost goals and stays ahead of the information security arms race. As a start, following are five practical countermeasures executives can deploy to protect the reputation of their organization, as well as the security of their patient data:
Strategy #1: Have a Reputation Audit Done Before a Crisis
Advance preparation and understanding can help your hospital manage a crisis. “A communications audit can help you understand how effectively your organization is telling its business story internally and externally, while identifying any significant communications gaps before a crisis occurs,” explains Boggs. “This audit can safeguard your hospital’s online and public reputation, while strengthening the communication process in the event of a crisis.”
Strategy #2: Have a Crisis Communications Plan that Includes Social Media
In the event of a data breach, your healthcare organization should provide doctors, staff, patients, vendors, healthcare industry leaders, public officials, community, media and social media followers with factual information as quickly, clearly and accurately as possible. A tailored crisis communications plan can help facilitate this, while protecting your organization’s reputation.
“A professional crisis communications plan identifies a crisis team, specifies how media and social media will be handled and discusses additional internal and external communications strategies,” adds Boggs. “A well-prepared plan can ensure your hospital is poised to quickly respond to an escalated situation through effective communications and appropriate action that demonstrates your commitment to patients and staff.”
Strategy #3 Get Ready for New Attack Methods
“Among this year’s mega breaches, the attack on Community Health Systems is the single truly sophisticated case,” says Hayden. Attackers hijacked a remote connection to the organization’s internal network, pivoted among network nodes, exploited subsystems on the network, and established an undetected outbound transfer of patient data. “The foothold attackers initially took advantage of was enabled by a relatively new attack vector, but one which still could have been avoided with a mature information security program,” he explains.
According to Tom Schauer of CliftonLarsonAllen, “One of the best methods to prepare for an attack is to perform covert penetration testing. Covert testing is done without the knowledge of those responsible for breach detection and response.”
Some healthcare organizations concede defeat without testing their networks. Even if you believe your network is porous, security testing provides the benefit of a prioritized road map to improve the controls environment.
Strategy #4 Stay on Top of Mobile
Mobile device management is a hot topic in the industry. By allowing your organization’s users to connect with mobile devices, the perimeter of your network becomes open to an entirely new and uncontrolled class of endpoints. Ensure your organization has safeguards in place to securely manage your entire perimeter:.”The same safeguards that protect your internal networks need to protect mobile endpoints, too,” Hayden explains.
Strategy #5 Practice, Practice, Practice
It is never too early to stress test your system to determine whether your organization can detect and shut down an infiltrator stealing data off the network. In every major case breach case this year, the organization was infiltrated months before the breach was discovered. In some cases, the FBI notified them of suspicious activity before the health organization saw it on their network.
Mature information security programs aggregate network and system logs, run periodic algorithmic analysis on these logs, and test them through simulated penetration test attacks done by technically savvy security firms. “Covert testing is the single, authoritative way to know if your information security program can detect and respond to real-world attacks,” explains Hayden.
At the same time, “You must determine if your organization can efficiently route the news through the proper communication channels,” explains Boggs. “Crisis communications training for your executives, along with a crisis simulation exercise are essential. You could do everything right with your cybersecurity preparations, but then lose the reputation game on account of the way you ineffectively communicated.”
Casey Boggs is president of LT Public Relations, a national firm specializing in reputation management and serving the communications needs in the healthcare, legal and financial sectors. Before forming LTPR, Boggs served as public relations director at AIG, and managed accounts at Waggener Edstrom and Weber Shandwick, two of the world’s largest public relations firms.
Aaron Hayden is an IT Analyst with CliftonLarsonAllen’s Information Security Services Group. As a former software developer on NASA projects, he was granted access to science data while maintaining the security of mission-critical components. Hayden is Certified in Healthcare Privacy and Security by AHIMA, and holds an Ethical Hacker certification, as well as an MBA.