Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

7 Rookie Security Mistakes Made by Health Care Organizations

Health care entities often operate several steps behind criminal hackers and other data thieves. For a number of years now, the not-so-subtle (but often neglected) warning signs of this disparity have been on full display. Now, health and medical organizations - which include hospitals, doctor's offices, urgent-care facilities, nursing homes, pharmacies, health insurance companies and others - are more pressured than ever to ensure their networks, systems and applications are protected from the inevitable threat lurking in the shadows.

But before they can remedy their shortfalls, they must prioritize the biggest things that need fixing. Here are seven common blunders harming the health care sector:

Not accounting for the changing threat landscape: While the health care industry deals with a number of unique challenges, the troubles it faces are not uncommon from those in other sectors. Threats are advancing, security skills are at a premium, budgets are tight, legacy systems are going unpatched and the attack surface is expanding. Yet studies show that health care organizations are doing a substandard job of ensuring their breach prevention, detection and response measures are effective.

Slowly adopting advanced technologies and services: One big difference between health care and other industries that swim in sensitive data, such as finance, is that organizations in health care haven't invested as much as they should in advanced security solutions - such as anti-malware gateways to detect and block threats in real time and threat management to identify and assess attacks and other suspicious network behavior. In addition, health and medical firms, much like members of other industries, have been agonizingly slow to detect incidents, limiting their ability to perform damage control and effectively communicate with affected customers.

Inadequately protecting confidential records: Entities such as hospitals, doctor's offices and urgent-care clinics are custodians of a wide swath of sensitive information. As the black market for financial data, such as credit card numbers, has become commoditized over the years, medical data is growing more valuable. Cybercriminals recognize the value of patient data, such as stolen health insurance numbers, to acquire medications and services. A 2014 medical identity theft study found that an estimated 2.32 million Americans have fallen victim to such a crime, with an average cost of $13,500 to resolve it. Organizations must implement a layered, flexible and proactive defense strategy.

Failing to consider the risks of mobile and cloud: Never before has medical data been so conveniently accessible by doctors, nurses and patients through devices such as smartphones, tablets, portals and health exchanges. This dissolving perimeter results in efficiency wins and improved patient and health care delivery, yet these endpoints often lack basic security, such as access control, vulnerability management and encryption, making them prone to malfeasance and data loss. And it further opens the door for deliberate or accidental insider threats, such as patient snooping or the careless handling of information. (In a similar vein, as researchers have revealed, wearable and implantable medical devices are at risk to hacking too).

Failing to assess the security of business partners: We've read a lot in recent months about the dangers posed by the partners and contractors with whom companies have business relationships. For instance, an exploitable vulnerability or malware infection at a third-party vendor (or a newly acquired company, amid a growing spike of hospital mergers) can serve as the entryway for adversaries to reach their ultimate target. Health care is no different. Business associates - those third-party contractors that serve health care organizations - are responsible for a majority of health and medical breaches. Fortunately, the federal law that governs the protection of health information, known as the Health Insurance Portability and Accountability Act (HIPAA), covers these entities.

Not fully leveraging managed security services effectively: Security and compliance are not core competencies for health care professionals who are rightly focused on delivering quality care to their patients. Often times they rely on smaller, local IT companies and consultants to provide a patchwork of disjointed services that are not up to the task of dealing with today's cybercriminals. Instead, turning to a mature managed security services provider (MSSP) with a global reach can provide a comprehensive set of threat, vulnerability and compliance management services under one roof - and create economies of scale in both direct costs, as well as administrative costs, with the end result being a greatly improved security outcome.

Operating under a 'checkbox mentality': The aforementioned HIPAA regulation carries more teeth than it ever has - with violators being steadily fined following breaches - and a new round of audits is imminent, albeit delayed. But like any compliance mandate, HIPAA should be viewed as the floor, not the ceiling, of good security. Organizations that go above and beyond compliance typically are the ones least likely to fall victim to a major compromise.

**

For more insight and quick-hit advice on improving one's security risk profile, check out our 2014 State of Risk Report.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo