Defense-in-Depth: Key for Healthcare Data
Healthcare organizations must adopt defense-in-depth strategies to keep information protected at all times
A study conducted by IBM revealed that it takes nearly a year for the healthcare industry to identify and contain a data breach. To reduce the amount of time spent on remediation activities, regulatory inquiries and litigation in the years following a breach, organizations must implement the proper security measures and defense-in-depth strategies before a cyberattack takes place. Organizations that use proactive data recovery planning can actually decrease the cost and frequency of data breaches by more than 30%, according to the IBM study. On average, companies that have business continuity management programs save 44 days in the identification of a data breach and 38 days in the containment of a data breach.
To fill in security gaps and mitigate cyberattacks such as phishing schemes, two-factor authentication (2FA), also known as multi-factor authentication (MFA), must be utilized on every device that sends and receives PHI. Over the years, phishing schemes have shifted from traditional malware infections into attempts to steal personal information. Two-factor authentication can prevent phishing schemes by requesting a combination of credentials at access points that only the actual patient, doctor, billing operator or pharmacist would know. The combination of credentials can be a strong password accompanied by a personal PIN or a smart card that is supported by a fingerprint.
Many organizations assume that if their email solutions are compliant with data privacy regulations, there is no way they can fall victim to malware or phishing schemes. However, even with SOC 2 and HIPAA compliance in place, an email message will typically pass through multiple servers before it reaches the final point of delivery. This indirect transmission method leaves protected health information and other unstructured data vulnerable to imminent threats of cyberattacks. To protect sensitive information, organizations must use document delivery systems with in-network routing and advanced encryption to secure endpoints and encrypt information that is both in transit and at rest.
Every organization should utilize well-defined end-to-end encryption methods, such as those defined in the Elliptic Curve Integrated Encryption Scheme (ECIES), to securely transfer information between two endpoints. The hybrid encryption scheme uses Elliptic Curve Cryptography to generate a shared secret between peers to seed the encryption process with unique keying material while signing and authentication mechanisms assure the validity of the data in transit. Even if a third party attempted to eavesdrop on the network communication, the information itself would be indecipherable.
Forescout researchers determined that 39% of IoT devices and 53% of common medical devices are still operating on traditional legacy platforms. Research from Vectra has shown that legacy systems, insufficient access controls and the proliferation of medical IoT devices have created security vulnerabilities that leave hospitals wide open to cyberattacks. To operate securely with legacy systems, organizations can extend messaging applications and analog fax machines to the cloud. By leveraging a hybrid-cloud network that meets encryption standards and compliance regulations, unstructured data and confidential information will remain secure.
Overall, organizations must implement multiple defense-in-depth strategies to maintain the highest level of security at all times. Two-factor authentication, in-network routing and end-to-end encryption can effectively safeguard business-critical data and protected health information (PHI) from cyberattacks.