HIPAA, GDPR and the Dreaded “Second Hop” Security Problem

Malicious attacks targeting a healthcare company’s confidential data are nothing new. The industry has lived under the stringent HIPAA requirements for years and many have made great strides deploying systems to manage and protect their data. What is disturbing, however, is the number of breaches that still occur. 

A recent example: LifeBridge is just now disclosing a breach that happened in September 2016 and affected the personal information of 500,000 patients. What’s interesting and relevant to understand is the length of time it took to discover the breach and that the attack happened via a phishing campaign through one of the healthcare partners/affiliates. Security architectures widely deployed with the best defenses money can buy still suffer with advanced threats that go unnoticed for months.

Another recent example of a major breach occurred at a medical center in New Jersey. They were  more fined than $400k for a data breach that was caused by its third party medical transcription partner. Third-party risks continue to plague all industries. This isn’t surprising in our breach-a-day cybersecurity landscape.

There have been many fined under HIPAA, and the stakes now are higher under GDPR. While HIPAA limits fines to $50,000 per instance (in some cases, per lost record), GDPR fines can reach 4% of total revenues. Before the U.S. healthcare industry avoids opportunities with EU (dual-) citizens and third-party providers, perhaps it’s time to consider alternative new security technologies to lessen the chance of breaches. Frankly, the risks and costs due to fines are too high. The effort to improve security and stop data loss of health records need not be as costly and complex as a government “modernization” program, where cost overruns have plagued the U.S. Government and the VA System for so long. But current “best practices” needs to be reviewed with care.

What one needs to consider are two important factors in this threat landscape. Perhaps the most significant is the amount of time the hacker can go unnoticed, in some reported cases of breaches as long as months. This is just untenable. No healthcare provider should stand for an attacker rooting around their networks unnoticed for months. This begs the question of how one might learn quickly of a remote attacker cohabitating along with legitimate users.

Even if best practices are followed to ensure internal network security posture is at its best, the third-party risk can easily thwart the best designs to remain secure. Organizations cannot operate without partners and professional relationships with whom sensitive data is shared. It is those third-party networks that cause the greatest concerns. A well-managed security operation within a health care company cannot control what their third party’s do with their data all of the time. The NJ medical center breach makes that clear. The GDPR regulations also make it clear that the data owner is the responsible party and no non-disclosure agreement provides sufficient legal protection.

With a number of IRM and DRM solutions available broadly, none of these can adequately cover the “second hop” problem, data legitimately shared with a third party may leak to an unauthorized party. It is the data owner that must know when such a breach has occurred and as quickly as possible. For these reasons, IRM-based solutions need to be augmented with data tracking solutions. No data should be left to a trusted third party without adequately tracking their own behavior using your data. Time is of the essence to know if and when your health records and sensitive data have been mishandled and leaked, and data tracking augmenting IRM solutions seems prudent, and far less risky.

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Salvatore J. Stolfo. Read the original post at: