Data breaches continue to be a primary concern for the security of healthcare organizations. Although there will most likely never be a day where the threat of ransomware attacks and attempted thefts of patient health information is completely eradicated, technology designed to safeguard protected health information continues to evolve, adapt, and improve. According to estimates provided by Juniper Research, cybercrime will cost businesses over $2 billion by 2019; a 400% increase since 20151.

The evolution of technological safeguards to prevent theft of private and protected information continues to be a multifaceted approach. This technology must protect health information and medical data records, while concurrently looking far enough ahead to plan, adapt, and prevent new and more intense attempts to hack data from the organization.

As the healthcare industry continues to realize the benefits of mobile medical devices, healthcare security becomes even more essential; recent 2016 projections estimate wireless and mobile medical device sales will top 100 million devices per year2.

Goal: Interrupt the Kill Chain of Advanced Healthcare Attacks

The kill chain is the series of steps used by hackers or attackers to infiltrate a network, establish residency in the network, and then extract data from the network. Understanding the typical hierarchy of successful cyber-attacks allows for better preparation when preventing current and future breaches.

Even with the recent development of healthcare technology, including the rapid transition to wireless and mobile devices, email remains the most common route of healthcare security breaches. These sophisticated phishing attacks constantly result in the most invasive and costly attacks on PHI and other sensitive information. As a result, advanced anti-spam software development continues to be crucial in preventing a typical attack, essentially making anti-spam efforts the first line of defense.

Advances in web filtering have developed as a vital “second line” of defense. This involves preventing malicious links from leading unknowing users to websites that have been compromised by attackers. The third and fourth lines of defenses include intrusion prevention systems and secure gateway antivirus and gateway application control provide further security layers to sever communication and control from being established by hackers.

With the continuous advent of more sophisticated and complex phishing attacks and brute force attacks, the evolution of emerging healthcare security efforts is vital. These efforts include emerging efforts, improvements, and developments in the areas of next-generation firewalls, blockchain technology, healthcare cloud-based securities, secure direct messaging and health information exchange (HIE), and the recent improvements in the use of biometric security applications.

Next-Generation Firewalls

Next-generation firewalls (NGFWs) create the ability to utilize new types of policies and security applications through a more comprehensive integration of nodes in a specific environment. In other words, NGFWs create IT security structures that allow greater amounts of data to be stored, and are more flexible and responsive to new and unforeseen threats to healthcare security.

NGFWs allows for healthcare organizations to provide higher-quality security patient care specifically through the utilization of:

More Advanced Integration Ability 

NGFWs allow for more specialized security through advancements in the ability to complement and/or strengthen already existing health IT security systems.

Virtual Security Services 

NGFWs provide for the integration of new or updated security policies across an existing network. The in-line file processing capabilities quickly identify and neutralize the spread of traffic identified as malicious.

Multi-Vector Threat Detection and Response 

Combining NGFWs with NGIPS allows for specified layers of access and data points at a specific level, including the user, application, and device tiers; once a threat is identified, automated defined security responses prevent the spread of damaging traffic.

More Secure Monitoring at the Application Level 

Advancements in the ability to assess application provide for monitoring of over 2,500 identified applications, allowing malicious activity to be stopped at the port-level.

New Opportunities for Better Cloud Extension Creation 

As more healthcare facilities transition to the cloud, NGFWs provide better organizational control over specific data points while ensuring that secure access is available to identified users.

One company considered to be a leader in the development of next generation firewall applications is Astaro. Astaro sends application awareness to its security gateway. This software allows the firewall to differentiate and prioritize bandwidth to various applications running from the same software application. This also allows network administrators a network-wide view and the ability to view real-time threats and quickly adjust to protect the network. Astaro is also planning on providing network administrators to quickly see new, yet identified applications before they can affect sensitive customer data stored in their networks.

Blockchain Technology

Blockchain technology, most widely recognized from its utilization with Bitcoin, continues to gain traction as a viable way for the healthcare industry to increase security through an authoritative ledger that records each event. Blockchain technology further enhances security measures by requiring consent and/or majority approval of involved users before the transaction occurs.

Proponents of blockchain technology integration in the healthcare industry often highlight the application’s ability to provide multiple checks and balances as a key benefit for improving the security of private health records.

While similar in concept to some of the current health information exchanges currently in use, blockchain technology ensures the information recorded is accurate and has been validated by the consumer and sent only to those who have been added to the “chain”.

Although Consensus Systems is a start-up production studio, its Ethereum decentralized application is demanding attention for its potential to revolutionize blockchain technology in several industries, including the healthcare security space. Of particular interest is Consensus Systems’ distributed triple-entry accounting system. Specifically, this technology adds a time-stamp upload, providing another (third) level of security for clients and providers.

Healthcare Cloud-Based Securities

One of the top healthcare cloud security concerns continues to be private and secure information, such as PHI, being compromised. In fact, according to recent findings, over 90% of small healthcare organizations in the United States have reported at least one data breach3. With over 100 million records and supposedly secure documents accessed through data breaches, hacks and other unauthorized means, cloud-based security remains a leading concern.

While cloud-based security methods are currently being utilized by many healthcare organizations, there appear to be new efforts to better protect sensitive data by utilizing specific cloud-based services instead of moving everything to the cloud.  Healthcare organizations are taking a deeper look at the benefits of each HIPAA-compliant cloud service and evaluating which will best fit their needs while also providing the most secure environment for the patient and the organization.

Practice Fusion, Inc., is one of the leading privately-owned cloud-based electronic health record companies in the industry. Practice Fusion’s EHR options provide progressive and secure data solutions, allowing safer, more efficient communication between patients and medical providers.

Secure Direct Messaging and Health Information Exchange (HIE)

The increased reliance on medical communication via mobile devices, coupled with the massive amount of patient health information, financial data, and protected information (e.g., Social Security numbers), requires healthcare organizations to provide the most secure and HIPAA-compliant direct messaging and health information exchange (HIE) available.

Considering that 61% of healthcare organizations reported at least one data security breach in 2013, security breaches cost hospitals $1.6 billion each year, and HIPAA offenses can cost $50,000 for first offenses and millions for additional offenses, effective HIE security is essential for the healthcare industry to maintain secure interoperability between patients and providers.

Among areas of secure messaging and HIE efforts receiving the most attention by healthcare providers is developing clear delineation between collecting private and public patient data during a typical registration process. New efforts in this area include merging collected data in a central data repository and ensuring that proper restrictions and permissions are assigned to each piece of data to ensure private data remains private.

An industry leader in the HIE space, DataMotion Direct service, offers the Direct Community Web Portal and DataMotion SecureMail Gateway. These systems allow for the delivery of high-volume, secure data and message delivery through the user’s preferred system of choice.

Biometric Security Applications

Biometric security applications use data gathered from scans of patient’s physicals features, such as fingerprints, face, iris, or event veins, with personal medical history to build a unique profile of the individual.

Proponents of biometric security applications believe this emerging technology will eliminate attackers’ opportunity to steal information by removing the need for patients to use traditionally collected patient information.

Specifically, biometric applications utilize infrared light technology and high-quality cameras to create data points from the scan of a physical feature (fingerprint, iris, vein patterns, etc.), then creates a template unique to the individual.

When individuals’ biometrics are accessed again, for instance, upon return to a healthcare provider, they are entered into a search known as a “one-to-many” biometric search, comparing the scan against all scans in the database. The unique data points of the patient’s biometric scan are attached to the patient’s medical records and, in many cases, a color photograph of the patient. The biometric scan process provides initial and secondary points of authentication, thus increasing security of the data being protected.

Further developments in the biometric space have linked the unique data points collected from physical scans with chip embedded smart cards. These cards allow for biometric data and photograph to be accessed before further accessing secure patient medical and health records.

The rapid shift to mobile and wireless devices has also created an opportunity for further biometric authentication applications in this new, emerging space. For example, similar to using fingerprint scanning available on newer mobile phones to purchase on Amazon, unlock your mobile device, or access banking information, healthcare security experts see the opportunity to use the stored biometric authentication information to eliminate the need for central databases – a favorite of hackers. While not yet in mainstream use, there are several healthcare organizations currently internally piloting biometric authentication security applications.

Two companies leading the healthcare industry shift to biometric security applications are ImageWare Systems, Inc., and NEC. Both ImageWare and NEC continue to develop cutting-edge biometric identification solutions; these solutions include multi-modal authentication solutions such as finger/palm scans, iris identification, and DNA and facial recognition systems delivered on premises and through cloud-based applications.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan