Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996
May/June 2016 • SECURITY TECHNOLOGY EXECUTIVE 35 www.SecurityInfoWatch.com and then consider all the sensitive data gener- ated daily by the Internet of Things (IoT), edge devices and wearables for healthcare; these are combined in Health Information Exchanges (HIE's) creating extremely large datasets of Pri- vate Health Information (PHI), ripe for analysis in-house and by third parties, on-premise and in the cloud for the benefit of all. With good, however, comes bad. Mobile and cloud technologies have blurred the enterprise perimeter and the healthcare industry now faces the perfect storm as bad actors also seek to take advantage of the wealth of electronic medical records, claims files, data from medical devic- es stored in large repositories and distributed throughout complex healthcare ecosystems. PHI has a black-market value of up to 50 times the going rate for better-protected, harder to reach Payment Card Industry (PCI) information, making it 50 times more desirable to hackers who are working hard to leverage vulnerabilities in healthcare business networks and workforces As data flows throughout an organization in support of business processes and functions, identifying where sensitive data is located, where it's going and who in an organization is ultimately accountable for its' security is a must-have exercise. to gain unauthorized access to data. As a result, healthcare companies need to understand their challenges better as a form of defense. Climate Change HIPAA and HITECH and their associated Priva- cy and Security Rules govern the privacy rights of patients and define how these rights need to be protected. T he Office of Civil Rights (OCR) HIPAA 'Wall of Shame' chronicling healthcare breach- es have for years been populated with lost or stolen laptops, mobile and USB devices and data stores containing sensitive information and PHI. Now it shows a dramatic change in threats , with many different motivations including national security, hacktivism, ter- rorism and espionage that have escalated into coordinated PHI attacks. The most recent of these trends and poten- tially one of the most devastating is Ransom- ware. Hackers infiltrate systems, often via phishing attacks, and use malware to appropri- ate credentials that allow them to go wherever they need to find unprotected sensitive and PHI data which they hold hostage using encryption before demanding money in exchange for resto- ration of access. This is happening with alarming frequency and companies in 2016 so far have paid eight times more for hostage data than in all of 2015. Ransom demands var y but Hollywood Presby ter ian Medical Center was recently reported to have paid $17,000 after negotia- tions during which nearly 1,000 patients had to be relocated to other hospitals. Other health- care providers have been able to limit damage and restore systems but not without facing "significant disruptions". Storm Defenses These new threats especially leave those in the healthcare industry perched between a rock and a hard place as they struggle to balance limited IT resources and teams relatively new to the sophis- ticated skills required to securely democratize data, with the need to keep data accessible to the The value of holding data hostage is just as profitable for criminals as trading it on the dark web and these latest threats should serve as a warning beacon to medical facilities to evaluate the systems, equipment, and processes they employ to protect sensitive information in face of the data security threats we face today. Image Courtesy of BigStock.com