One of Norway’s largest healthcare providers,Health South-East RHF (translated), has become the victim of a data breach that may have exposed sensitive data from half the country’s population. This amounts to about 2.5 million people. For comparison in the U.S. the Equifax data breach exposed around half the country’s sensitive data to hackers who claimed it was easy. Despite the size of the breach, the healthcare provider acted swiftly to mitigate damage, send out notifications, and activate their incident response plan. Additionally the hospital network worked with vendors and trusted partners to expedite the mitigation of the data breach. While this incident did happen in Norway there are some critical lessons that healthcare organizations in the U.S. can take away from this situation.
Overview of Healthcare Cyber Security Hygiene
While headlines are saying that half the Norwegian population’s data was potentially exposed to hackers from this data breach, it is dwarfed in comparison to how many Americans have their personal information leaked to hackers every year. Accenture took a recent survey of U.S healthcare providers and the results were not great. Roughly 83% have experienced a cyber attack, most of those being the result of a phishing emails, malware downloads, and unauthorized access. This indicates that insider threats are still the leading cause of concern in the healthcare industry. When it comes to technology adoption only 44% of practices plan to adopt behavior analytics-based technologies such as anomaly detection. When responding to a cyber security incident it was revealed that healthcare organizations notify their internal IT group or notify educated employees, following an incident response plan came in third. Even worse, contacting the Police, FBI, or DHS came in 6th. Additionally, according to Black Book Research 54% of providers do not conduct regular risk assessments, meaning even the providers are in the dark when it comes to how secure they are from a data breach.
Despite the state of cyber security for healthcare professionals not all hope is lost. The data breach that happened to Health South-East RHF carries lessons for US based healthcare providers. Let’s explore some of those lessons now.
Government Support & Communication
One of the more notable actions that Health South-East RHF took was that they immediately notified Norcert, the national security authority. More than simple notification, Norcert lead the efforts to mitigate and remediate the threat. Healthcare providers in the United States should know there is a government agency they can turn to in the event of a data breach, the Department of Homeland Security (DHS). That’s right, the U.S. DHS has set up a variety of systems for reporting a cyber security incident and even tracking other incidents that are happening. The reporting system is called the National Cyber security and Communications Center. If your healthcare practice faces a cyber security incident then you are able to work with government agencies that help. Depending on the scale of the breach as well, the Department of Justice may take the lead via the FBI. The U.S government is able to assist you if there is a cyber security incident. The key lesson here is to seek help when there is an incident, your organization is not alone.
Incident Response Plan
While is it unclear whether Health South-East RHF followed an established incident response plan. What is clear is that they reached out to their IT security vendor and their national security authority. Healthcare providers not only need an incident response plan, but they also need to stick to the plan when an incident happens. According to the Accenture survey cited above, healthcare practices follow turn to their internal IT teams or even just knowledgeable employees. Cyber security incidents can be scary and full of panic all around, but it is important to carry out established plans. One of other data points that was included in the Black Book Research is that a surprising 84% of healthcare providers do not have any sort of cyber security manager in place. Having one person responsible for cyber security can really help with coordination of communications, resources, and implementation of plans when an incident happens. Health South-East RHF likely had an incident response plan since in Europe it is required essentially due to the General Data Protection Regulation. There is no policy equivalent in the United States, but that should not prevent you from making sure you have an incident response plan.
In the United States data all points to insider threats as the most significant cyber security risk facing healthcare organizations. One of the best security investments that an organization can make is in abnormality detection. This is also referred to behavioral analytics by some vendors. With abnormality detection software, such as Teramind’s, monitors every user and your network itself for normal patterns of behavior. Once that pattern is established, then it monitors for deviations from that behavior. Depending on the scale of behavior deviation you can implement smart actions that initiate when a certain violation is triggered. Anomaly detection can help your organization identify if there is a rise in insider threat behaviors. Another aspect of anomaly detection is that it helps identify if your network itself is acting out of the ordinary, which may indicate the presence of malware.
The healthcare sector in the United States does seem to have a long way to go. Health South-East RHF’s preparedness and handling of the situation can be attributed to their national policy requirements. Healthcare providers in the United States clearly care about cyber security, it is just a matter of knowing what resources, technologies, and people are available to help them.