Want To Beat Auditors And Adversaries? Think Like An Attacker

By: Eric Cowperthwaite, Government Health IT

Security is always a top concern, but the stakes are particularly high in the healthcare industry. The Department of Health and Human Services Office for Civil Rights (OCR) is conducting a tough new round of "desk" audits to measure HIPAA compliance, and their enforcement action against Concentra Health Services [in 2014] is proof they’re not messing around.

Their investigation of Concentra discovered that assessments conducted by the company had identified risks (specifically a lack of encryption on laptops) that they failed to address prior to a laptop being stolen from one of its facilities. Concentra was also found to have insufficient security management processes in place to protect personal health information. They were fined $1.7 million.

And if the OCR doesn’t catch you slacking on the security front, hackers still might. Community Health Systems, which operates 206 hospitals across the United States, recently revealed that hackers broke into its computers and stole data on 4.5 million patients. This includes names, Social Security numbers, physical addresses, birthdays and telephone numbers. In addition to dealing with fines, Community Health will feel the impact of this breach in its patient numbers. Would you go back to a hospital that put you at risk of identify fraud? I didn’t think so.

Unless you’re ready to accept millions of dollars in fines or a massive data breach as regular costs of doing business, it’s time to get serious about risk assessments and risk management. They’re the keys to surviving and thriving in this new environment.

Your organization has probably made substantial investments in security technology. In addition to network firewalls and endpoint protection products, you’ve likely deployed data encryption technology, intrusion detection and prevention systems, vulnerability scanners and log management software, to name a few solutions.

Those tools are important, but are the IT security dollars you are spending today significantly reducing your exposure to risk? Will your current security controls convince auditors that your IT environment and EHR system have been adequately secured from inadvertent data loss or deliberate cyber intrusions? Simply running periodic vulnerability scans, monitoring security events, and tuning device configuration is not enough. In fact, the result is a mountain of data, requiring time and valuable resources to process.  And in most cases, your teams are already strapped for time. You need a way to narrow your focus on the most vulnerable points of your network and applications.

You can (and should) take your security program a step further with attack intelligence. This requires looking at your organization through the eyes of an attacker. Understanding how real adversaries will behave in your environment is critical to understanding which vulnerabilities pose the greatest threat to your organization, so you can plan your defense strategy accordingly.

Think of it this way: if a vulnerability somewhere within your organization could lead an attacker only as far as week’s lunch menu, is it a priority? Is it an area where you should be focusing your limited resources? Of course not. But if a vulnerability could lead an attacker all the way to the medical record application servers or the backend databases that hold ePHI, it must be addressed immediately. Attack intelligence enables you to cut through the noise, and focus on protecting the crown jewels.

If you can predict where the hackers will strike and build your defenses accordingly, you will find the major security gaps before the “bad guys” (or the “good guys” looking out for patients’ right to privacy) beat you to it.

This strategy will help your program meet crucial industry regulations, make your security team more efficient, and most importantly, protect patients. So take a hard look at your security program through the eyes of an attacker.

Do you like what you see?