How to avoid being the next hospital breach

With all the talk about compliance and regulations, particularly when it comes to patient data, it's confounding to read about all of the hospitals that have been victims of breaches. One would think security teams in the healthcare sector are bringing their A game when it comes to defending their most valuable assets.

I've spoken with a couple security researchers and experts, so tomorrow's post will also examine this topic as it seems to me that hospitals--the very places that tend to the ill--are more and more the targets of illicit acts by bad actors. Would it be unreasonable to request that even criminals possess some code of ethics. Perhaps they might all take an oath to grant immunity to the health care industry as a whole?

The latest breach of Massachusetts General Hospital suggests that the hospitals, though, aren't the weak link as this breach was supply chain related. Even for those who are doing all that they should be doing to defense their environments, third parties still put them at risk.

Patterson Dental Supply, which provides software to the hospital to manage dental practice information for a number of providers that includes the Boston hospital, said that an unauthorized individual gained access to electronic files on the company’s systems in early February.

The hospital said files contained some MGH dental practice information, including the patient names, birthdays, Social Security numbers and — in some instances — the type of dental appointment, provider name and medical record number.

In a press release, the hospital said it began sending letters to affected individuals and had set up a dedicated call center to answer questions. Hospital spokesman Mike Morrison said though the hospital received permission to begin notifying patients in late May, the hospital needed time to identify which patients had been impacted.

MGH said the vendor has already enhanced the security of the systems that maintain dental records, but many have questions about the increasing security issues with third-party vendor management for the healthcare industry.

Lysa Myers, senior researcher at ESET, said in order to avoid being the next victim, do things like:

Mapping locations of sensitive data: Collaborate across all relevant teams to determine which data—intellectual property, employee records, financial information, credit card data—is considered sensitive by the organization. Information security should audit for all locations of that sensitive data on the network, as well as for the locations of copies of that data that may be accessible to members of your vendor. Apply the principle of least privilege: For example, don’t give users admin rights to their machines if they don’t need it, and limit their ability to access parts of the network they don’t legitimately need to use.

Building security assurances into vendor/partner agreements: Advise your legal team to add a corporate data security and incident response policy into vendor agreements and to stipulate compliance with them.

Adding depth and breadth to basic security practices: Recommended protections include network segmentation, multi-factor authentication, and strong passwords.

Encryption – Ask how vendors are protecting sensitive data since you and the vendor should encrypt sensitive data as it’s sent over the network, such as via the web or email.

"Working together, every department and manager involved with the supply chain and partner organizations can build a safe environment. Doing so before a cyber attack or accidental data breach occurs can close a critical gap in your organization’s security posture," Myers said.

Join the CSO newsletter!

Error: Please check your email address.

Tags hospital securitySecurity Managementsecurity industryIT Securityhospital breachcyber security

More about ESET

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place