Protecting Your Business' Healthcare Data

Key findings from Verizon DBIR report for the Healthcare IndustryAs an information security professional, it can be difficult to know where to concentrate your efforts. Some threats are overly hyped, while others slide in under the radar.That's why every year Verizon publishes its Data Breach Investigations Report, or DBIR. This report goes through reported attacks within the last year, field by field. It breaks down statistics for each, including information about types of attacks, their origin, types of data compromised, attackers' motivations and more. This article will look specifically at the 2017 DBIR's data about attacks within the healthcare industry, so you can prioritize potential threats and engage in focused, careful threat management.The Danger of RansomwareRansomware attacks are making news, and it's no wonder. They're on the rise, with nearly three-quarters of all attacks in the healthcare industry consisting of ransomware attacks. While it's not clear if ransomware compromises your data, it makes it inaccessible and can cost you thousands of dollars. (Even if you pay the money, you may not have your data restored, and your system may still be infected.)Make sure sure your facility's protected:

• Back up your data regularly, and make sure all systems receive necessary safety patches and updates.
• Educate your employees about basic data hygiene techniques, like not opening unexpected attachments. Warn them about any ransomware that's making the rounds, and train your staff about responding to incidents.
• If your system is compromised, disconnect the affected devices from the network so they don't affect any others.

An Ounce of PreventionA lot of the data breaches in the healthcare field this year were easily-avoided mistakes. That's not a huge surprise: Healthcare facilities process an impressive amount of sensitive information daily. Even with HIPAA and other regulations in place, employees still err. Protect your organization's data:

• Make sure your facility has steps in place to protect the publication and exposure of data.
• Educate new employees about these procedures, and refresh old ones regularly. Check that these procedures are being followed.
• Have procedures for properly disposing of personal and medical data. This includes destruction of hard drives, and shredding paper records.
• Encrypt all mobile devices to protect against device loss or theft.
• Have at least two employees authorize any online data data changes, so your facility doesn't publish anything erroneously.

Just for FunDifferent fields see different rationales for data breaches. Sometimes it's to acquire sensitive personal information for identity theft purposes or to commit espionage. These attacks are often perpetrated by hostile attackers outside an organization.But a little over a third of data breaches in the healthcare field aren't "attacks" at all. Shockingly, they're done just for fun, by employees within the organization who are bored or curious about patients' conditions. You can take a few steps to protect against this:

• Instill a culture of respect and caring within your organization -- but remember that this will only do so much.
• Monitor access to critical systems, and limit unnecessary access. Set up different levels of access for different classes of employees.
• Put up banners and warnings around employees' areas and on software programs, reminding them that their access is monitored and they should be scrupulous.
• If you see employee misconduct, deal with it quickly so other employees don't think this kind of conduct is acceptable.

Every year the Verizon DBIR provides information security professionals with valuable information about their fields. As a professional in IT, it's important to understand the threats you face may not be the same as those in other fields. By educating yourself about the security threats that afflict facilities like yours, you'll be able to take real-world steps to improve your organization's information security, and rally others within your organization to protect data, too.