Community Health Systems announced Aug. 18 that hackers had breached its health care network of 206 facilities and stolen sensitive information on approximately 4.5 million patients. The compromise and subsequent data loss is part of a general trend in the sector. The health care industry has given short shrift to IT security, spending less on protecting its systems and data than most, if not all other industries, as measured as a percentage of the overall IT budget. And data from firms that track threat intelligence shows that signs of breaches are rampant in the health care industry.
Part of the problem is that many participants in the healthcare industry, such as individual doctor's offices, don't think of themselves as being in the data management business, so they are inadequately prepared to protect data against the threats that exist today. In most cases, data breaches have less to do with advanced hacking techniques than with lost laptops, failing to shred paper records, and other employee errors.
Whether stolen or accidentally disclosed, healthcare data is valuable, and that makes it a target. On the black market, personal records suitable for use in identity theft are worth $10-$12 each at the low end or maybe $25-$28 for a particularly attractive identity. When enriched with health data, the value of an identity data set jumps to about $50 per record, because then it can be used for medical and insurance fraud.
The threat is out there, and the threat is going to get bigger. The point is to ensure that you're prepared and have a plan in place. What’s needed is a 24x7 incident monitoring, on-going assessments of industry security best practices and automated HIPAA reporting. The solution must include proactive, real-time threat detection and remediation in order to minimize risk of downtime of critical systems. Finally, out-of-the-box HIPAA compliance reports, delivered regularly as part of the service, give healthcare providers a straightforward and effective way to get healthy.
That plan needs to include an SIEM solution that provides:
- Comprehensive information security intelligence for systems handling ePHI as mandated by HIPAA
- Proper people, process and technology to meet HIPAA information security monitoring and audit requirements
- Continuous monitoring of well-accepted security controls and best practices