Mitigating emerging threats to mobile devices and applications should be a top health data breach prevention priority for 2016, says security expert Chris Bowen.
"What we're seeing from the new [threat] vector perspective is that a lot of mobile is coming to the spotlight," says Bowen, chief privacy and security officer and founder of the security firm ClearDATA.
"We've seen this trend for the last few years where we can use a mobile device in an incredibly effective way to enable healthcare to deliver amazing patient care," he says in an interview with Information Security Media Group. "Some of the greatest innovations happen that way. Unfortunately, at times, the mobile device has been enabled with great software that doesn't necessarily consider the entire ecosystem from a hardening perspective."
The only way to stay ahead of emerging threats is to "employ a security-first strategy, make sure you're doing vendor diligence, and make sure you're implementing a defense-in-depth strategy that considers every layer of security," he says.
For instance, healthcare organizations need to realize that mobile software may be storing logs that could contain personally identifiable information for a patient. Also, "you may be incorporating data flows from inside and outside that application that may not be hardened," he notes.
Additionally, mobile data is at risk "because people are still lugging laptops around without encryption," he notes.
In fact, about one-third of incidents listed on the Department of Health and Human Services "wall of shame" website of major health data breaches affecting 500 or more individuals since September 2009 involve unencrypted lost or stolen laptops or other portable electronic devices.
It's also important to vet technology suppliers, he stresses. "We see new entrants into the healthcare market - and sometimes that's a great thing, and other times it's shocking how lax the security can be, even from security vendors who really claim to embrace a security-in-depth strategy."
In developing strategies to fight against hacker attacks, which were pervasive in 2015, organizations need to take steps to make sure social engineering tactics fail, he says. "Hackers are really going after the easiest targets first," he points out. "It's not about stealing a database of credentials. It's more about stealing credentials one phishing email or keystroke logger at a time."
In the interview, Bowen also discusses:
- Other security weaknesses that make healthcare organization easy targets for cyberattacks, and what those entities can do to bolster security;
- How healthcare entities can better prevent and detect breaches involving insiders, including members of their workforces as well as business associates;
- Three lessons that can be learned from the top healthcare breaches in 2015.
Bowen is the chief privacy and security officer and founder of security firm ClearDATA. He manages the risks and business impacts faced by global healthcare organizations, with a specific focus on cyberthreats, privacy violations, security incidents, social engineering attempts and data breaches. Bowen is a Certified Information Privacy Professional,Certified Information Privacy Technologist and Certified Information Systems Security Professional.