Cyberattacks, Health Insurance, and Your Personal Data

When cybercriminals get your credit card information or financial data, the topic of cybersecurity hits really close to home, but the topic will never feel as personal as when hackers get to your health records and medical data.

As one of the largest breaches in the health insurance world continues to unfold in front of us, we’re learning all over again why hackers are so interested in healthcare payers. Payers – aka healthcare insurance companies – are like a treasure chest for cybercriminals, as they handle not just your social security data, but all of your personal information including financial credentials, credit card credentials, employment and income data, personal data such as address and birthdate, SSN, medical records, and more. Basically, any bit of valuable information that hackers are able to resell on the black market. Additional exposure and risks have been brought into the mix in the U.S. because the Healthcare.gov initiative requires many healthcare companies, including insurance companies and payers, to share a lot more information with many more parties in the ecosystem.

Much has already been written about healthcare breaches, but I wanted to reiterate some of the recommendations that I believe can have the greatest impact, and share why:

  1. Gain visibility. Understand where the risks are and assess your company security posture.

This one task alone might seem daunting and close to impossible to accomplish if you have limited resources, budget, and face a lot of inertia in your organization. This is actually where Palo Alto Networks can make the biggest difference in the shortest amount of time for customers. You can deploy one of our appliances in tap mode, with no disruption to your daily operations, and get valuable insights within a couple of days in the form of a full report on applications and malware present on your network. If you go through the exercise for all communications to servers that handle sensitive insurer data, then you will get immediate visibility into how far off you might be from a clean and secure environment.

  1. Advocate for tighter segmentation using application-level control.

Today’s reality is that many organizations still operate a network that’s way too flat to protect sensitive data from advanced attacks that are able to move laterally once inside a company’s network. Protecting sensitive and regulated data with tighter segmentation that is based on application white listing, a user access control model based on a least privileged model, and systematically inspecting all payloads, including that of authorized applications, will reduce risks significantly and enable security teams and advanced security tools to operate at their best.

  1. Quantify the risks and costs of a data breach to your organization.

If part of your role is to be a security advocate inside your company, then you should immediately equip yourself with data and metrics to back up your argument on why security matters and why your company should invest more in security. With the volume of breaches in 2014, there are many surveys, published models and resources that help to evaluate what breaches cost an organization.  For example, based on the Ponemon Institute research, in the US about $200 per stolen record was the number shared at the beginning of 2015.

  1. Do not stop educating employees about security issues.

Awareness and training activities related to security cannot be just point-in-time activities. They need to be reinforced into everyday interactions until they become second nature. The goal here is not to create a state of paranoia, but to empower every employee to acknowledge that security is critical to the stability of the business they work for and to ensure they quickly recognize the signs that something is wrong in the network. A couple of months ago, I wrote a blog on how Palo Alto Networks brings forward tools to maintain a high degree of alertness on security that may serve as a resource in this endeavor. (“Keeping security awareness high with your employees”)

  1. Build connections with security peers in the healthcare and insurance industries.

Hackers and cybercriminals have been getting more and more organized, and you should not have to fight them alone. Learn about best practices employed by your peers -- what has worked from them, what has not, how they might have responded to attacks, and more. During the industry security forums that I’ve attended, the volume of valuable information shared is amazing. Lagging behind your peers will only make your organization an easier target.  A good place to start is the Healthcare-ISAC and the annual summit they organize in partnership with the SANS Institute. Also, you can consider attending Ignite, the Palo Alto Networks user conference, where you can grow your network, and share ideas and best practices with security peers and leaders.

  1. Engage executives on your security agenda.

Cybersecurity is no longer just an IT issue; it is a business topic. Leading companies who have stayed out of the headlines had this figured out many years ago and have invested accordingly in resources and tools to protect themselves. If you feel you’ve been falling behind, it’s even more critical to reach to the top and get their sponsorship to challenge the security status quo. The above recommendations will make sure you’re prepared with the right information and context for when you approach the C-suite about the state of security in your company and what you need to improve it.

Additional resources