HIPAA Compliance—Cyberattackers Aren’t Fazed
In spite of longstanding HIPAA compliance requirements, and the billions of dollars being invested to ensure HIPAA compliance, it seems that cyberthreats and attackers aren't fazed. Healthcare suffered from some of the largest breaches ever reported in 2015. The breach at Anthem compromised 78.8 million records, and two additional breaches exposed more than 10 million records each1. The following year, 2016, saw the highest number of breaches with 327 reported. The number of breaches in 2017 surpassed 2016, with more than 342 reported. While the number of breaches grew, the number of compromised records dropped from 112 million in 2016 to a little more than 14 million in 2017.
The number of breaches involving more than 10,000 records has varied--from 52 in 2015 to 82 in 2016, and 78 breaches in 20172. The ups and downs likely reflect waves of cybercrime tactics and threat types. After a wave of ransomware attacks, healthcare organizations have become more vigilant about Cryptolocker-type threats. But attackers continue to adapt their techniques, so organizations need to be prepared for new threat campaigns that will inevitably appear in the future.
Despite increasing enforcement of HIPAA, US healthcare-related organizations of all kinds are still attacked, and millions of healthcare records are still compromised each year. Of course the problem is not confined to the US. Data protection laws around the world3 include requirements for defending healthcare data, although it is difficult to determine how many breaches have been reported over the past few years. But one thing is certain from the data:—attackers aren’t deterred--whether or not an organization is compliant with relevant privacy regulations.
Medical IoT and the Extended Ecosystem - More Ways For Attackers to Strike
One of the reasons that attackers will continue to target healthcare is its rapidly expanding attack surface4. Life science and medical technology advances are creating new frontiers in medicine with biosensors, the Internet of Medical Things (IoMT), telehealth advances, digital analytics—and more. Too often, the technology enabling these initiatives are not designed with security in mind, opening new avenues for attackers to exploit. Best of all—from an attacker's viewpoint—the movement towards giving patients more active control over their health assures the longevity of social engineering attacks. Getting a patient to click on a malicious link gives an attacker a foothold in a healthcare network via a non-secure device, malicious software, or simply human error.
A Simpler, More Proactive Approach to Staying HIPAA-Compliant
The converging trends of greater healthcare complexity and ongoing cyberattack evolution are why healthcare organizations need solutions that simplify compliance with HIPAA and safeguard security of their assets and initiatives, and—most importantly—their patients. These solutions must relieve the burden on overtaxed IT and security teams, giving them instant visibility, forensic data, and proactive tools necessary to focus defenses most effectively.
Part of the overall regulation, the HIPAA Security Rule specifically focuses on the safeguarding of individuals’ electronic protected health information (ePHI) through the implementation of “administrative, physical, and technical safeguards”. Coalfire recently completed a multi-faceted technical validation showing how Illusive can help organizations meet many areas of HIPAA regulation.
Coalfire found that the Illusive platform can provide coverage for the following:
- Administrative Safeguards:
- Risk Analysis
- Risk Management
- Information System Activity Review
- Protection from Malicious Software
- Security Incident Procedures
- Response and Reporting
- Technical Safeguards:
- Audit Controls
- Physical Safeguards:
- Device and Media Controls
Illusive’s deception-based platform addresses a broad range of cyber risk by alerting teams to attackers attempting to move laterally, once they're inside the network, toward critical systems. Illusive Attack Surface Manager preemptively identifies and removes unused credentials and connections that would otherwise give an attacker more tools for lateral movement. Illusive forensic data, combined with Attack Surface Manager and Attacker View, shows teams actual proximity of an attacker to crown jewels, enabling them to map their assets, prioritize options, and assess risk. Illusive solutions are lightweight and easy to deploy, use and manage—empowering defenders of all skill levels and across industry categories.
Meeting—and then exceeding—HIPAA requirements with proactive capabilities provides a strong foundation for getting in front of new waves of cyberattacks. Download the Coalfire assessment, How Illusive Networks Technology Supports HIPAA: A Technical White Paper here.
1. Largest Healthcare Data Breaches of 2017, HIPAA Journal, Jan. 4, 2018 https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/
2. Largest Healthcare Data Breaches of 2017, HIPAA Journal, Jan. 4, 2018 https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/
3. Data Protection Laws of the World, 2018, DLA Piper (https://www.dlapiperdataprotection.com/index.html?t=law&c=AR)
4. 2018 Global health care outlook | The evolution of smart health care, Deloitte https://www2.deloitte.com/global/en/pages/life-sciences-and-healthcare/articles/global-health-care-sector-outlook.html