The idea of security breaches often brings to mind malicious attackers hacking into computer systems. However, past major health sector breaches have shown vulnerabilities are more often than not the result of healthcare system misconfiguration.
While such breaches cause significant reputational damages, HIPAA fines can add insult to injury, with the healthcare sector average fine of $6.45 million, leading all other sectors. This creates the double-edged sword of needing to adequately secure protected health information while also maintaining HIPAA compliance and avoiding lawsuits from clients whose records have been breached.
By mid-2019, healthcare cybersecurity breaches had doubled those in the entirety of 2018. In January 2019, Immediata Health Group discovered it had inadvertently exposed the information of approximately 1.56 million patients because, as their incident report indicated, “a webpage setting…permitted search engines to index internal webpages that are used for business operations.”
In February, the University of Washington Medicine announced it had exposed the information of approximately one million patients because of the accidental removal of website server protections, again exposing files to indexing by search engines.
These are not isolated experiences, as a 2017 IBM security report noted that breaches caused by healthcare system misconfiguration due to human error in cloud infrastructures had increased by 424%. Additionally, Gartner analyst Neil MacDonald estimated that by 2020, “80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
Healthcare System Misconfiguration
Why has misconfiguration become such a problem in the healthcare industry? One of the major causes is the complexity of systems as they migrate to the cloud or hybrid environments. While these environments make organizational processes more user-friendly and efficient, they also introduce new and increasing vulnerabilities, proliferating weaknesses that might allow entry.
The growth of technological infrastructures increases vulnerability points, and, in the context of the growth of the internet of things (IoT) and the use of IoT devices in healthcare systems, the vulnerabilities in healthcare infrastructures increase exponentially. Additionally, new application architectures and infrastructures are being created for cloud-native applications, which increases the surface area of attacks.
Finally, as organizations grow, the number of people with access to sensitive information – including employees, partners and clients – increases the potential for human error or negligence.
To use a metaphor, vulnerabilities are tantamount to the doors and windows in a house: these are points through which thieves might enter your house to steal your valuables. As the number of doors and windows increases, so do the opportunities for thieves to get in. Moreover, as the number of people who have keys to the house increases, the greater the chance somebody forgets to lock a door or close a window.
Solving the Issue of Misconfiguration
A documented security policy isn’t enough: cybersecurity assurance requires that relevant security systems, and configurations to support the policy, have been implemented across infrastructures. Verifying this is extremely difficult in today’s dynamic IT environment, which is why most security breaches exploit relatively simple security configuration and process failures.
What is needed is a new approach to dynamically validate the security posture, removing manual implementations that create the possibility of human error in configuration and regulatory compliance. To do this continuously and repeatedly is a huge challenge for companies today. A key healthcare system solution lies in using a HIPAA-compliant automated security system.
Continuing with the house metaphor above, the automated system checks that all the windows and doors are closed and notifies you when they aren’t, while also making sure that only authorized individuals have keys. With healthcare systems and data, this would mean notifying you of human errors in configuration, such as storage buckets being accessible to the public, passwords being left blank, or database misconfiguration.
An automated system would check on an ongoing basis that such healthcare system misconfiguration errors or security policy violations have not taken place. It would also ensure users are only granted the necessary access to data their jobs require or are permitted, while also preventing unauthorized users from sending packets into the data environment that might contain malicious software.
Automated systems also solve two further issues related to compliance. First, they can make sure your health data infrastructure is sector-compliant with HIPAA regulations. Second, and included in HIPAA regulations and security practices, they can constantly monitor and audit your infrastructure, including for the purposes of updating configurations in real-time, enforcing security/compliance policies, and maintaining compliance as HIPAA regulations change.
Doc Vaidhyanathan is a security systems and authentication expert. He leads product development at Spanugo, addressing the security assurance needs of hybrid data centers for enterprise operations.