Security ninja-pen tester David Kennedy shares an interesting snapshot of the healthcare industry and security breaches this year. The findings are not pretty.
On his SecManiac site is an analysis where he digs through documented data breaches as chronicled on PrivacyRights.org -- a site that keeps breach stats dating back to 2005. Looking at cases for this year alone, Kennedy finds that the health sector is the hardest hit in recent months.
Doing some analysis of breaches this year, the healthcare industry has experienced 170 breaches out of the total 480 for 2011. This is over double of any other industry that is listed within the privacyrights.org database. One thing this shows me is that the traditionally notorious education field has gotten significantly better. There were only 52 reported public data breaches versus the 73 in 2010 and alarming 101 breaches in 2006 in the education field. Below is a bit of trending analysis on a per instance breach each year for the healthcare industry.
While doing assessment work for the healthcare industry and from an outsiders perspective, its somewhat clear to the potential causes for the heightened level of attacks in the healthcare industry. For one, HIPAA is heavily relied upon as the security program of the organization. A reactive approach to security and malicious compliance will never equate to building a security program and protecting the organization from attack. The second instance is the asset management and classification programs within the organization. In most cases, the “life of death” systems equate to roughly 5% of the actual systems in the environment. The generalization of hospitals and critical systems is a challenging one. In most cases in a working security program, assets are identified by criticality to the business and then protected based on the level decided by the organization. In the healthcare, most systems are thrown into critical assets or “life and death” and never maintain a level of patching, hardening, or security.In addition to asset classification, the vendor space in healthcare is a pretty rough one. Security hasn’t fully matured within the software development lifecycle and injected into applications for review. Most hospital applications have seldom if at all undergone security reviews to ensure the stability of the application. In most cases, service level agreements (SLAs) contain little to no wording around ensuring security and frequent testing of applications. Applications are sold to healthcare organizations and never touched for the years to come.
He offers some solid advice for IT security professionals in the healthcare industry:
* Identify critical assets and protect whats critical to the organization
* Develop a risk management program that tackles some of the riskiest areas of the organization
* Leverage HIPAA as a funding source however build a security program that is forward thinking and proactive
* Isolate and heavily protect the “life and death” systems while ensuring an extremely high availability of them
* Develop a program that focuses on tackling threats towards the organization versus compliance
* Leverage other industries that have heightened levels of security that can assist in program development
* Place security as a business enhancement of the organization versus an expense and roadblock
* Change the perception of HIPAA not being the end-all-be-all in security and protection around patience healthcare information (PHI)
* Understand that nothing will ever be fully secure. The ability to detect, respond, and minimize is an important aspect
* Develop a vendor management program and application security program that combats potentially harmful code being introduced into the environment* Refrain from purchasing shiny new APT or DLP prevention tools, these will destroy you. Invest in people and process versus silver bullets
I've shown you a small excerpt of his post. I recommend you go to his site and read the rest.
one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
CSO's Daily Dashboard gives you a
Get your morning news fix with the daily Salted Hash e-newsletter!