How a data-driven approach to security helps a small healthcare team embrace automation

Not-for-profit Martin's Point Health Care created a data-driven security framework to automate how threats are evaluated.

The healthcare industry is an inviting and lucrative target for threat actors. It holds lots of valuable personal, health and finance data living in environments that often depend on legacy technology that is hard to patch and is defended by small teams with limited resources. Worse, the cost for data breaches at healthcare organizations is high. Not only does the healthcare industry have the highest cost per record breached according to the 2018 Ponemon Cost of a Data Breach study ($408, nearly double the next-highest industry), but research published last year suggested healthcare data breaches may cause as many as 2,100 deaths per year in the United States.

One healthcare organization is turning to automation and orchestration to maximize the effectiveness of its small team. Martin’s Point Health Care’s information security officer has created a new framework to help create what the company calls a “data-driven approach” to security.

Small team vs. regulations and nation-state attacks

Martin’s Point is a not-for-profit organization providing healthcare services and health insurance plans – both Medicare and Tricare – in Maine and New Hampshire. It has seven healthcare centers and employs 800 staff across 18 U.S. locations. Matthew Witten has been information security officer of Martin's Point since 2015. Previously CISO for the Louisville Metro Government at the University of Louisville, he was brought in to Martin’s Point as the organization’s first security officer to build a full security program.

Witten's five-person security team – including a former oncology nurse who found a second career within the security operations center (SOC) team – protects health and insurance records for 80,000 people on its health plans, plus over 100,000 more on the patient delivery side. As Martin’s Point deals with health and finance data, it is regulated by the likes of PCI DSS and HIPAA, but Witten jokes that “HIPAA is a walk in the park” compared to regulatory requirements around Department of Defense data for the military personnel it serves under the Tricare plan.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!