If you thought 2014 was a big year for data breach and HIPAA violations, this year the industry could see even more attacks on healthcare organizations, according to a recent cyber security report by Radware, a provider of application security solutions. And not only is the industry at higher risk, but threats are growing in complexity and are going to require more sophisticated mitigation strategies.
According to the report, based on a survey of more than 300 IT professionals, more than a third of respondents (36%) indicated that they have employed "hybrid solutions" to help gain ground against attacks, combining on-premises equipment with cloud-based technologies. Nearly half of respondents (48%) suggest that they will employ a hybrid solution by 2015.
One of the organizations that ramped up its efforts to contain a data breach is Boston Children's Hospital, which in 2014 became the first healthcare organization to be targeted by what Radware calls a "hacktivist" group. Because BCH uses the same Internet service provider as seven other area healthcare institutions, the organized attacks had the potential to bring down multiple pieces of Boston's critical infrastructure for healthcare.
The attacks began with a threatening Twitter message, which relayed private information related to a patient and her case managers (a strategy known as doxing). Within weeks, the attacks escalated to Distributed Denial of Service (DDoS) attacks, which attempted to overwhelm and bring down BCH's networks.
Fortunately, the organization acted quickly to prevent total network collapse and a massive data breach, says Ben Desjardins, director of security solutions for Radware, whose organization worked with BCH to mitigate the DDoS attacks.
But other organizations might not be so lucky—or well-equipped—to deal with a similar threat. With that in mind, Desjardins shared a few tips for other organizations:
1. Take stock of what you have.
Security threats are constantly evolving—but is your existing technology keeping up? That's a question CIOs should ask themselves. "Healthcare is [part of an] IT trend where [professionals] are putting more critical devices into networks," says Desjardins. "The result is that the industry needs to broaden its lens, considering not only the protection of data but the ability of those systems to reliably support the devices. They need to be increasingly focused on whether their systems can stay up in the face of attack."
2. Develop a contingency plan.
Does your organization have a solid plan in place for addressing a threat to its security system? If not, updating, reviewing or even creating a contingency plan should be #1 on your health IT to-do list, says Desjardins. A backup plan should address the question, "How will we operate if our network goes down?" says Desjardins, even if that means resorting to legacy processes.
3. Don't assume that you are not a target.
"The attack on Boston Children's Hospital highlights that all organizations are now at risk," says Desjardins. "Healthcare providers should start planning now by identifying critical business operations and clinical operations and working with their IT department to understand which ones depend on network data to allow them to function."
4. Seek outside expertise.
Since there are so many changes and evolving threats, "no internal IT department can be expected to keep up," says Desjardins. "It's important that IT teams have trusted vendors that can bring expertise." Therefore, when vetting potential partners, an organization should investigate whether an organization can go beyond just protect data from a basic breach. "You need know vendors that also know how to protect you from availability attacks against your network," he says.