Rising wave of healthcare breaches in Covid times
The pandemic has opened more windows of opportunity for cybercriminals who are relentlessly devising novel ways and techniques of striking down security defenses and breaching the internal assets of organisations. The healthcare sector too has fallen victim to this diversion created by the pandemic as malicious agents seek to breach hospital networks to access health data and vital asset, which are then sold at underground auctions or manipulated for various nefarious ends, says Murali Urs, Country Manager, India, Barracuda Networks
By Murali Urs
The recent pandemic has wreaked substantial havoc on every walk of our life. It has opened more windows of opportunity for cybercriminals who are relentlessly devising novel ways and techniques of striking down security defenses and breaching the internal assets of organisations. The healthcare sector too has fallen victim to this diversion created by the pandemic as malicious agents seek to breach hospital networks to access health data and vital asset which are then sold at underground auctions or manipulated for various nefarious ends.
There have been several instances of medical data breaches in India that have only multiplied since the advent of the pandemic. In January this year, the capital city reported the theft and leakage of Covid-19 test results and other details of thousands of Covid-19 patients which were compromised from the Delhi government’s website. In another related incident, a large multi-speciality private hospital in Kerala had its complete patient records collected during the course of last five years containing countless test results, scans, prescriptions, etc., were unceremoniously leaked on the internet, all of it which was accessible through a unique patient ID.
Over 10 crore healthcare records were exposed in 2020 while 28.6 lakh records have been disclosed so far in the first two months of 2021. Of these, ransomware was alleged as the most major root cause of healthcare breaches, making up for a pivotal 54.95 per cent. Additional leading causes comprised email compromise/phishing (21.16 per cent), insider threat (7.17 per cent) and unsecured databases (3.75 per cent).
Therefore, against such an alarming surge in the number of healthcare breaches it is essential to deploy the latest and most advanced defensive cybersecurity solutions to safeguard important files and databases. Equally important is training all healthcare personnel the imperatives of best security practices to cultivate a well-secured culture that can defend and avert breaches at a daily basis.
Not just hacking and IT incidents are responsible for this rising tide of data breaches in the healthcare sector. There are other factors too:
IT asset disposal (ITAD): Asset disposal is one of the sundry housekeeping operations that most companies often fail to attach importance or fail to communicate to pertinent parties. There have been episodes of an American computer vendor dumping away patient records in a dumpster which resulted in a major data breach in 2012. It is highly essential to practice safe disposal of IT assets as well as ensuring a competent computer recycling program to prevent the occurrence of such undesirable developments.
App misconfiguration: Malicious bots can easily target those files in the public domain that have not been adeptly secured. It is essential to deploy effective password protection and data encryptions for all files and application that can find their way into the public domain.
Equipment theft: You should never save confidential data files on a public station as it is just inviting trouble. Any stolen laptop or any communicative device belonging to a top-tier professional can considerably setback the organisation.
Human error: Any employee can tend to commit mistakes but some have greater ramifications. Therefore, it is ultra-essential to expose all personnel in warranting the best security practices to avoid such episodes. There are numerous accounts of employees causing massive setbacks on account of individual negligence. It is best to learn from the mistakes of others as experience is the best teacher.
There are many other paths to a data breach but here are the three things that must be considered before assessing an organisation’s security compliance and defensive architecture.
E-mail security: Companies must deploy the latest state of the art AI-enabled anti-phishing frameworks that can prevent potential phishing mails that evade traditional email gateway. A multi-layered email protection can defend business from subsequent attacks such as ransomware and to avert valuable data from being leaked to external agents.
App protection: A number of web application firewalls (WAF) are available in the market today in the form of WAF-as-a service that can effectively safeguard all web applications from rogue bots and breaching attempts. It is also recommended that you utilise some form of vulnerability remediation service to automate the remediation process based on the threats discovered post-scanning. This help in making sure that all databases are well-secured and safe from public access.
Data protection: Backup solutions ensure that your data stays protected at all times and events. You can select from a variety of cloud-to-cloud SaaS backup solutions and backup configuration tools that offer immense protection to Microsoft teams, PowerPoint, OneDrive data, and Exchange while ensuring that all your valuable data stays under a 24/7 protective cover.
While cybersecurity solutions and data-security innovations surely can’t guard against natural causes and events beyond human control that can lead to data breaches in the healthcare sector. But they are surely the best bet forward against a plethora of hacking events, breaches, data thefts, and even the inadvertent loss of data. Organisations must utilise the latest solutions and hypervigilant security frameworks to ward off attacks and ensure adequate compliance towards best cybersecurity practices.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]