Healthcare adjusts to life as hacker target

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/healthcare-adjusts-life-hacker-target

During the Cold War, back when Richard "Dickie" George was a mathematician
at the National Security Agency, security meant something different than it
does today. The foes knew one another well. And if there was plenty of
skulduggery to go around, at least there were some recognizable rules of
engagement.

"Back when it was us and the Soviets, there was about one big espionage
event every 10 years," he said, speaking at the Healthcare IT News Privacy
& Security Forum in Chicago on Tuesday.

In the 21st Century, the threat landscape is very, very different, said
George, now a senior advisor for cybersecurity at Johns Hopkins University
Applied Physics Lab.

To wit: There were more than 41,000 cyberattacks on government agencies in
2010 alone. That number has only risen. And the malefactors are only
getting more insidiously creative.

"They just caught a refrigerator sending out 100,000 phishing emails," said
George. "A refrigerator! It's a different world."

A different world, and a dangerous one. That was the theme that emerged –
and was driven home again and again – at the Privacy & Security Forum.

Healthcare, especially, is at risk: Medical data is the number one aim for
hackers and medical devices are loaded with potentially fatally-exploitable
malware, said George, whose talk's title – "Healthcare's Brave New World:
Life as a Target" – said it all.

At Johns Hopkins, the challenge is acute and complex, he said: A network of
hospitals, with the need to share information constantly. Add in myriad
affiliated physicians practices of various shapes and sizes. And the fact
that it's a large research university, with scores of students, many of
whom are foreign nationals, with access to very sensitive health data.

"Risk management is really hard," said George.

Unfortunately, nowadays "everything you do is a risk management decision,"
he said. Because in an interconnected healthcare ecosystem, risk is
omnipresent.

If you start with 1 percent good behavior and 99 percent bad behavior, and
then work hard to improve that to 99 good behavior and 1 percent bad, you
still haven't improved your security, said George. That 1 percent is still
enough to pose serious security risk.

"People write code," he said. "People make mistakes. Security is never
going to be perfect. People are going to get in."

Indeed, hackers' "creativity is shocking in some cases," said Dan Bowden,
chief information security officer at University of Utah Health Care.

Bowden says he's seen an uptick in aggressiveness and ingenuity recently,
with phishing and zero day attacks sharing more and more in common – almost
becoming synonymous in some cases.

That necessitates an "endless cycle of discussion" reassessing data
policies, IT strategies and vendor relationships, he said.

(One tip for those looking for business association with smart security
strategies, he added: any time a vendor touts the fact that its
"HIPAA-compliant," that should be "one of the biggest red flags." It speaks
to a fundamental misunderstanding of what strong security requires.)

The threat is so omnipresent – and potentially so ruinously expensive –
that many providers are increasingly turning to cyber insurance as risk
mitigation strategy, said Erin Whaley, an attorney with Richmond,
Virginia-based Troutman Sanders.

Such investments can indeed help defray a host of costs associated with a
breach – hefty patient notification costs, fines, money spent hiring PR to
restore damaged reputations, even funds to pay blackmail threats from
ransomware, she said.

It's important, however, to tailor coverage levels to one's own
organizational needs, adjusting according to gaps and vulnerabilities.

"If you've seen one cyber policy, you've seen one cyber policy," said
Whaley.

In fact, "you may need layers of coverage to get to limits that make you
feel comfortable," she said. "Even then, it may not cover all the costs
associated with a breach."

One certainty exists, however: "Good insurance doesn't replace good
security," said Whaley. "Good security is a prerequisite."

Insurers won't underwrite policies without demonstrably robust security
practices, she said, since the payouts associated with healthcare data
breaches are so huge.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!