Working in security you always wonder which industry is doing the worst when it comes to protection of critical assets and most breach occurrences. One of my most favorite sites is http://www.privacyrights.org which keeps tally of the breach statistics dating back to 2005. Doing some analysis of breaches this year, the healthcare industry has experienced 170 breaches out of the total 480 for 2011. This is over double of any other industry that is listed within the privacyrights.org database. One thing this shows me is that the traditionally notorious education field has gotten significantly better. There were only 52 reported public data breaches versus the 73 in 2010 and alarming 101 breaches in 2006 in the education field. Below is a bit of trending analysis on a per instance breach each year for the healthcare industry.
In the picture depicted above, there is a clear increase in healthcare related breaches in 2010 and 2011. If we look at education, we can see a steady decline in attacks:
While doing assessment work for the healthcare industry and from an outsiders perspective, its somewhat clear to the potential causes for the heightened level of attacks in the healthcare industry. For one, HIPAA is heavily relied upon as the security program of the organization. A reactive approach to security and malicious compliance will never equate to building a security program and protecting the organization from attack. The second instance is the asset management and classification programs within the organization. In most cases, the “life of death” systems equate to roughly 5% of the actual systems in the environment. The generalization of hospitals and critical systems is a challenging one. In most cases in a working security program, assets are identified by criticality to the business and then protected based on the level decided by the organization. In the healthcare, most systems are thrown into critical assets or “life and death” and never maintain a level of patching, hardening, or security.
In addition to asset classification, the vendor space in healthcare is a pretty rough one. Security hasn’t fully matured within the software development lifecycle and injected into applications for review. Most hospital applications have seldom if at all undergone security reviews to ensure the stability of the application. In most cases, service level agreements (SLAs) contain little to no wording around ensuring security and frequent testing of applications. Applications are sold to healthcare organizations and never touched for the years to come.
All of these are signs of an immature field when it comes to security. A lot of organizations have adopted a proactive approach in security and have a heightened security program that can detect and respond to attacks. The healthcare industry has a long ways to go when it comes to a maturity model that can support a defensive strategy around protecting its assets. As HIPAA continues to get a majority of sell as a way of protection against attacks, we will continue to see large exposures in the healthcare industry. Compliance is a great way to get buy-in for security however should never be leveraged as the security program. Some basic tips for the healthcare folks:
* Identify critical assets and protect whats critical to the organization
* Develop a risk management program that tackles some of the riskiest areas of the organization
* Leverage HIPAA as a funding source however build a security program that is forward thinking and proactive
* Isolate and heavily protect the “life and death” systems while ensuring an extremely high availability of them
* Develop a program that focuses on tackling threats towards the organization versus compliance
* Leverage other industries that have heightened levels of security that can assist in program development
* Place security as a business enhancement of the organization versus an expense and roadblock
* Change the perception of HIPAA not being the end-all-be-all in security and protection around patience healthcare information (PHI)
* Understand that nothing will ever be fully secure. The ability to detect, respond, and minimize is an important aspect
* Develop a vendor management program and application security program that combats potentially harmful code being introduced into the environment
* Refrain from purchasing shiny new APT or DLP prevention tools, these will destroy you. Invest in people and process versus silver bullets
Kudos to the education field on getting things together this year. Hope 2012 is an even better year for everyone.