Cybercriminals love healthcare data. TechRepublic spoke with enSilo's Roy Katmor about solutions that will keep it out of their hands.
If public health news were this bad, we would call it an epidemic.
Even before the second quarter had started, the Washington Post named 2015 the "year of the health-care hack." As a result of the 15 largest healthcare data breaches last year, the medical records of 110 million Americans were compromised. Putting that into perspective, that's almost half the adult population of the U.S.
Startup firm enSilo wants to enable healthcare IT defense by shifting from detection to prevention. The company offers a real-time, anti-exfiltration platform geared for targeted attacks.
Unlike the financial sector, security awareness in healthcare is lagging. Also unlike the financial sector—and much to the chagrin of the industry—hacked medical records command a premium on the black market because health data is far more permanent. Healthcare organizations are facing a cybersecurity crisis.
EnSilo CEO Roy Katmor recently spoke with TechRepublic via email about cyberthreats facing healthcare in 2016, how security thinking needs to change in the sector, and what technologies can best help security pros in healthcare organizations.
TechRepublic: Why is healthcare a bigger target for cyberattacks compared to other industries, as well as national governments?
Roy Katmor: Apart from the typical payment and contact information stored by entities in other industries, healthcare-related organizations also process patients' medical records, which can be exploited by threat actors for nefarious activities like insurance fraud, identity theft, and extortion of businesses and individuals. Once in attackers' hands, this type of data cannot be expired even when reported as stolen, such as in the case of a credit card, and can even be re-sold to multiple interested parties. Due to this data's intrinsic value, hackers sell it at a premium on the black market.
Beyond patient data, pharmaceutical research information is a highly attractive target for cyberespionage. It takes an average of 12 years to research a drug and get it approved, typically costing the research company $359 million. Competing companies, often sponsored by nation-states, can be motivated to cut costs and time through the act of cybertheft.
TechRepublic: What are your expectations for healthcare cybersecurity and breaches in 2016?
Roy Katmor: Healthcare is in a golden era when the combination of innovative technology and immense amounts of data enables the healthcare sector to research and solve some of the worst health crises. There are a few thorns in the rose, however.
Ensuring patient privacy is a growing concern as data once considered to be anonymized can be de-anonymized through analysis and correlation of seemingly separate data sets. Additionally, securing patient data has become an increasing concern with threat actors viewing dollar signs behind this data. While the Washington Post dubbed 2015 the Year of the Healthcare Hack, we predict it won't be different in 2016.
In terms of healthcare research, it's important to view the threat in the context of international agreements, signed in late 2015, attempting to settle cyberespionage acts. Superficially, it may seem that these acts will subside, but they're more likely to continue, just under the guise of non-state-affiliated cyber criminals, thus falling outside the realm of signed treaties.
In light of the aforementioned risks, healthcare organizations will come to view cybersecurity as a pillar of their business. These organizations will build security strategies that go beyond the typical separation of network and endpoint security and will actually look at both as a whole in order to support the increasing amount of data, the consumerization of IT, the cloud, and the breakdown of traditional network parameters.
TechRepublic: What are the chinks in the cognitive armor? In other words, how does thinking about IT security in the healthcare sector need to change?
Roy Katmor: First, healthcare-related organizations need to recognize that they, too, are targets for advanced attacks.
Second, security awareness is not in the DNA of this sector. If we take a look at other industries, such as finance, we see that they've already researched, learned and adapted to the threats facing their business. In fact, they can already identify emerging cybersecurity technologies and accelerate their adoption throughout the industry. Healthcare is different altogether, as it only recently underwent a massive transition via technology and now faces threats that never existed before. Organizations now need to educate themselves on the threat landscape and build a strategy that closes the gap. They're yet to realize that they can already adopt several strategies from other industries.
Third, in a rush to deal with the security gap, healthcare organizations are currently placing too much emphasis on preventing infiltration. In reality, an attacker will eventually find a way in, so healthcare organizations must assume they're already compromised, and instead focus on preventing the exfiltration and tampering of data.
Finally, security teams need to know how to deal with an attack without disrupting the business. The default reaction to a device's infection is to disconnect, but companies must have tools to allow healthcare operations to continue as usual, while safekeeping data, even during the resolution of attacks.
TechRepublic: What technologies do healthcare organizations need to back up new approaches to cybersecurity?
Roy Katmor: Healthcare organizations looking to implement their cybersecurity strategy should consider technologies that combine the following characteristics:
- Preventive: Prevention is critical— it won't help if the horse has already left the barn. As a case in point, the security market already demonstrates that any security solution that began with providing detection, matured into a prevention-mode solution (e.g. IDS/ IPS, Out-of-Line vs. inline deployments, WAFs, etc).
- Accurate: This includes offering minimal false positives so that security teams aren't led on a wild-goose chase. Additionally, an ideal solution requires pinpointing forensics teams to the actual needle in the haystack.
- Real-time: There is no point in preventing the threat after the damage is already done. Also, a security solution must not incur a negative impact on user experience, as it will lead to adoption resistance.
- Autonomous: An ideal solution should act as a stand-alone, capable of running independent of other solutions but still be able to add feeds and inputs from other solutions.
TechRepublic: What future cyberthreats do industry leaders need to be aware of several years from now?
Roy Katmor: In a world of increasing device variety and dissolved network boundaries, where medical devices become connected computing devices, IoT advances will be particularly relevant for the healthcare sector. For instance, digital insulin pumps can be easily infiltrated and manipulated by hackers.
The FDA and the Department of Homeland Defense are already urging manufacturers to take the necessary precautions to harden medical devices against unauthorized access. But even with all these measures, attackers will eventually find a way in. The biggest challenge will be providing secure solutions for these devices, which will have to meet with device continuity demands necessary in a life-and-death industry like healthcare.
TechRepublic: Since enSilo is just over a year old, what was your firm's founding mission?
Roy Katmor: At enSilo we believe that network compromises are inevitable, but data breaches are preventable. External targeted threat actors will eventually infiltrate your network, so we choose to focus on preventing the exfiltration of critical data in the event of an attack. With this mission in mind our team, comprised of some of the strongest cybersecurity researchers in the industry, created solutions that help organizations secure data while keeping businesses running smoothly in face of targeted attacks.