Before we go on, let’s back up a bit and understand the challenges to healthcare security and patient data.
Recent research from Accenture indicated that more than one out of four US healthcare consumers (26 percent) have experienced a breach of their digital healthcare data, which may include their Social Security number, contact information, electronic medical record, and/or health insurance ID.
From there, Accenture research showed that half of those people were victims of medical identity theft. Among those who experienced identity theft, most consumers report the incident cost them an estimated $2,528, on average, per incident. That’s a serious price to pay for the consumer and a very serious burden to carry by the healthcare provider.
So, what can healthcare organizations do to help mitigate these kinds of threats?
I recently had the pleasure of co-authoring the latest AFCOM State of the Data Center report. There, we got the chance to see the most important security services and processes that are being adopted to help combat some of the most advanced threats in the industry.
The top five are:
Data Loss Prevention (DLP)
You can do some advanced tracking of the data that’s flowing through your network. These types of solutions help ensure that you have good visibility into your network, storage, and even end-user layer. DLP technologies will help you analyze specific, sensitive, data sets within your network. Remember, your network layer acts as both a sensor and enforcer when it comes to security.
A data security architecture may very well limit the impacts of a potential attack because of intelligent segmentation and data visibility. Remember, you’re not just trying to catch the bad guys; you’re also trying to ensure that healthcare associates don’t “accidentally” store PHI/PII on their own devices.
This security feature speaks for itself. Basically, can you quickly respond and mitigate an incident? But, how well are we really doing when it comes to incident detection? Well, I had to do a double-take when I saw this stat from Accenture research: Half of consumers who experienced a breach found out about it themselves. Accenture research also showed that just fewer than half were proactively notified and about one-third learned about the breach passively.
So, there’s room for improvement here. Network sensors, data monitors, and even integration with physical infrastructure can all help alert to an incident faster. Be sure to leverage DLP tools, network monitors, data/network segmentation, and mobility control to help incident detection and even response.
Cloud Security (multi-cloud, point-to-point, data, etc.)
As more healthcare organizations move into cloud, remember that you’ll need to evolve your security practices as well. Basically, there are great solutions which can help with cloud-to-cloud security and even help you monitor the flow of data between on premise and cloud ecosystems. Furthermore, you can leverage HIPAA-compliant cloud and data sharing solutions.
We’ve come to a point where cloud infrastructure is much more versatile, especially for healthcare customers. I’ve had the chance to work on projects where we move healthcare workloads into the cloud.
Throughout the entire process, we extend security architecture into cloud and ensure that proper systems are in place. This might mean deploying a virtual firewall or even some kind of data analytics solution to monitor cloud data traffic and your PHI. Bottom line, don’t be afraid of cloud; but do ensure proper designs.
Endpoint Detection and Response (EDR)
First, it’s important to note that EDR is a subset of endpoint protection (EPP). To that extent, EDR provides some advanced features when it comes to working with the endpoint. So, it’s important to work with endpoint protection solutions which go beyond antivirus and antimalware solutions.
When it comes to EDR, we’re seeing a lot of adoption. The latest Markets and Research report indicated that the EDR market size is estimated to grow from $749.0 million in 2016 to more than $2.2 billion by 2021.
The key drivers for this growth include the need to mitigate IT security risks and threats such as malware, ransomware, and advanced persistent threats, along with a rising enterprise mobility trend across organizations.
If this is a new term for you, start reading more about the kinds of additional services EDR can provide and where it can help you further secure mobile users and various kinds of endpoints.
Web Application Security
I’m a big fan when it comes to leveraging web application security platforms. And, the good news is that I’m not the only one.
Recent Gartner reports predicted that by 2020, more than 50 percent of public-facing web applications will be protected by cloud-based web application firewall (WAF) service platforms, combining content delivery network (CDN), distributed denial of service (DDoS) protection, bot mitigation, and WAF, up from less than 20 percent today.
Within healthcare, you’re capable of leveraging both on premise as well as cloud-based web application security solutions. Plus, these are multi-faceted tools that can bring extra levels of security and redundancy to your applications. So, if you require a bit of additional security and resiliency for your critical apps, look to web application security solutions to help.
In the healthcare world, it’s critical to deploy solutions which specifically cater to your user and data requirements. Be sure to align strategies with various types of security services and always do your best to remain agile. Remember, the bad guys are always taking aim at your systems. This means that security best practices and seeing the big picture are all going to help you gain a better vision into your security requirements.
Although you might not be able to stop everything, mitigating threats and isolating attacks can greatly help reduce the impact of any attack or breach. That said, leverage the solutions that will help you sweat a little less and ones that will help keep your security platform agile.
Original article by Bill Kleyman
This post was curated with edits by Gordon Fletcher, Principal Consultant(Engineering & Mobile Technology) at Compumagick Associates can be reached at https://www.compumgickassociates.com/contact, @compumagick