The idea of security breaches often brings to mind malicious attackers hacking into computer systems. However, past major health sector breaches have shown that vulnerabilities are more often than not the result of healthcare system misconfiguration. While such breaches cause significant reputational damages, HIPAA fines can add insult to injury, with the healthcare sector average fine of $6.45 million, leading all other sectors. This creates the double-edged sword of needing to adequately secure protected health information, while also maintaining HIPAA compliance and avoiding lawsuits from clients whose records have been breached.
Recent Healthcare Breaches
2018 saw more than three times the number of patient records breached than in 2017. By halfway through 2019, healthcare cybersecurity breaches had already doubled those in the entirety of 2018.
In January 2019, Immediata Health Group discovered it had inadvertently exposed the information of approximately 1.56 million patients because, as their incident report indicated, “a webpage setting…permitted search engines to index internal webpages that are used for business operations.”
In February, the University of Washington Medicine announced that it had exposed the information of approximately 1 million patients because of the accidental removal of website server protections, again exposing files to indexing by search engines.
These are not isolated experiences, as a 2017 IBM security report noted that breaches caused by healthcare system misconfiguration due to human error in cloud infrastructures had increased by 424%. Additionally, Gartner analyst Neil MacDonald estimated that by 2020 “80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
Healthcare System Misconfiguration
Why has misconfiguration become such a problem in the healthcare industry? One of the major causes is the complexity of systems as they migrate to the cloud or hybrid environments. While these environments make organizational processes more user friendly and efficient, they also introduce new and increasing vulnerabilities, proliferating weaknesses that might allow entry.
The growth of technological infrastructures increases vulnerability points, and, in the context of the growth of the internet of things (IoT) and the use of IoT devices in healthcare systems, the vulnerabilities in healthcare infrastructures increase exponentially. Additionally, new application architectures and infrastructures are being created for cloud native applications, which increases the surface area of attacks. Finally, as organizations grow, the number of people with access to sensitive information – including employees, partners and clients – increases the potential for human error or negligence.
To use a metaphor, vulnerabilities are tantamount to the doors and windows in a house: these are points through which thieves might enter your house to steal your valuables. As the number of doors and windows increase, so do the opportunities for thieves to get in. Moreover, as the number of people who have keys to the house increases, the greater the chance somebody forgets to lock a door or close a window.
Solving the Issue of Misconfiguration
A documented security policy isn’t enough: cybersecurity assurance requires that relevant security systems, and configurations to support the policy, have been implemented across infrastructures. Verifying this is extremely difficult in today’s dynamic IT environment, which is why most security breaches exploit relatively simple security configuration and process failures. What is needed is a new approach to dynamically validate the security posture, removing manual implementations that create the possibility of human error in configuration and regulatory compliance. And to do this continuously and repeatedly is a huge challenge for companies today.
A key healthcare system solution lies in using a HIPAA-compliant automated security system. Continuing with the house metaphor above, the automated system checks that all the windows and doors are closed and notifies you when they aren’t, while also making sure that only authorized individuals have keys. With healthcare systems and data, this would mean notifying you of human errors in configuration, such as storage buckets being accessible to the public, passwords being left blank, or database misconfiguration. An automated system would check on an ongoing basis that such healthcare system misconfiguration errors or security policy violations have not taken place. It would also ensure that users are only granted the necessary access to data their jobs require or are permitted, while also preventing unauthorized users from sending packets into the data environment that might contain malicious software.
Automated systems also solve two further issues related to compliance. First, they can make sure that your health data infrastructure is sector compliant with HIPAA regulations. Second, and included in HIPAA regulations and security practices, they can constantly monitor and audit your infrastructure, including for the purposes of updating configurations in real time, enforcing security/compliance policies and maintaining compliance as HIPAA regulations change.
An Automated Solution
Spanugo’s Autonomous Security Assurance Platform (ASAP) offers these automated functions to maintain system hygiene. While some security systems are limited to either on-premise or cloud environments, ASAP is compatible with on-premise, cloud, and hybrid environments. Out of box, ASAP automates the IT-components of HIPAA, saving you the time it would require to automate and implement an in-house security system.
Once installed, ASAP provides automatic, comprehensive, continuous and consistent detection of security and compliance hygiene and vulnerability issues by adherence to security best practices and configuration best practises in order to secure your infrastructure. This includes basic configuration checks, such as making sure that default passwords are changed, route access is not publicly available, and applications and firewall gateways are properly configured. But it also provides advanced automation of other security/compliance elements of your infrastructure.
First, ASAP provides validation reports that check how closely the current environment matches HIPAA requirements, and highlights where a specific security control required by policy is not correctly implemented. Secondly, it provides drift analysis, which highlights recent control changes and policy drifts, making it easy to spot degradation in security caused by environmental changes and enables continuous compliance by providing data that drives an ongoing process of control validation. Finally, ASAP provides cybersecurity assurance analytics that go beyond the security policy, giving you extra protection beyond compliance requirements to help further protect your reputational integrity by assessing and managing your risk exposure to security breaches.