Report highlights strain pandemic puts on healthcare security protocols

A report has been released detailing the data privacy concerns attached to the healthcare setting during the age of COVID-19.

Released by IntSights, the first in a two-part series of reports says the ongoing pandemic has placed “further strain on the already insufficient security protocols” across the healthcare sector.

The report explores the challenges the organisations face from a compliance and risk perspective.

Its key findings include:

• The healthcare threat surface grows exponentially in tandem with data privacy liability as businesses are forced to operate in remote settings.
• The healthcare sector is the most frequently targeted industry due to the sensitive data it harbours and the relatively lax security protocols in place.
• HIPAA-covered entities are under increased scrutiny and pressure to comply with Breach Notification Rules and OCR investigations.
• Third-party providers like medical device manufacturers and others in the supply chain increase the risk for already vulnerable hospitals.
• Medical records are selling for massive profits on dark web black markets and forums.

The report identifies that people working from home in record numbers may see some having to transfer intellectual property, personally identifiable information and PHI data to be stored on local drives and process on private computers – resulting in several possible implications to data security regulations, and jurisdictional privacy laws.

IntSights says it has found examples of successful ransomware attacks on the healthcare industries which highlight system vulnerabilities and weak security controls.

Recommendations for bolstering data privacy compliance efforts in the report include:

• Assess risk and potential liability - Newly remote workers may be required to transfer IP, PII, and PHI data to local drives on their private computers, which introduces several possible implications to multiple data security regulations (HIPAA, PCI DSS) as well as jurisdictional privacy laws, most notably the GDPR and the CCPA . Measuring the business against any data security standard or framework to get a temperature reading on data security and existing controls can help to ensure that the organisation is poised to combat increased threats and address resource requirements.
• Use threat intelligence to identify organisational risk. Threat intelligence solutions can help security teams automate and reduce manual data collection to prove security control efficacy with required industry compliance standards. Explore core CTI use cases that lead to quick security control and compliance wins.
• Align your data privacy policy with global privacy laws. Take the first step in securing sensitive and critical data by ensuring your program will meet the rigor of current cybersecurity and global data privacy laws. Assess your core audit requirements to achieve regulatory and security confluence.
• Protect compensating security controls. Policies can be constructed to target, tag, and monitor core assets that are critical to the security policy (i.e., Windows systems that are no longer supported). This will help identify when legacy systems are at risk. The presence of intelligence showing the use of specific negative-zero-day exploits will help to prioritise weak spots in the business security posture.
• Locate exploited data and credentials. Global rules can be set up to target specific critical data leakage or exploitable data. This will help ensure proactive remediation of threats from data request spoofing attacks and find any references to PHI data that has been compromised.