With a company’s average cost of suffering a data breach at approximately $3.86 million (IBM/Ponemon Report), cursory defenses are not enough. Data security needs to be part of your culture.
At a recent XIFIN roundtable, Kevin Hagen, XIFIN Vice President of Information Systems, and I discussed how XIFIN protects customer data. Kevin introduced the value of stolen PHI data and best practices for physical security, which you can find summarized in a recent blog post. To continue that conversation, it’s important to understand the different types of data attacks targeting protected health Information (PHI) and best practices for thwarting and responding to data breaches. Here are highlights from my discussion:
A Growing Data Threat Level
The HHS OCR portal lists all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights. It's a valuable tool used by XIFIN in its ongoing efforts to develop best practices for security controls and testing. For example, when XIFIN holds security awareness training, we use statistics and breach information from the HHS OCR list.
But perhaps nothing does a better job of awareness than looking at the problem in terms of costs. According to the IBM/Ponemon Report, if you had a data breach in 2018, your average cost per single healthcare sector record was $408 — an increase of $28 per record from 2017. In comparison, a financial services record post-breach would cost $206, while a services record would cost $181. The study also pointed out (see graphic):
Data breaches are costly and possibly economically devastating. However, there are best practices for guarding against them.
Data Breach Response
An incident response team that is well-trained, prepared, and quick in detection is integral to lowering the cost of a breach. According to the IBM study, the following items can help reduce the cost per record after a data breach:
NIST Cybersecurity Framework
The NIST Cybersecurity Framework, the result of an executive order from President Obama in 2013, mandates that all critical infrastructure companies follow established standards, guidelines, and best practices to manage cybersecurity-related risk. For non-critical infrastructure companies, the framework is voluntary.
XIFIN uses the framework for guidance on many systems. Key objectives include supporting organizational missions, fulfilling cybersecurity requirements and compliance, and managing vulnerabilities and threats in the environment.
The core of the framework has five functions: Identity, protect, detect, respond, and recover. Each of those is broken down into a total of 23 categories. The goal is to use everyday language so that people from C-level down can have a shared language and understand what's being discussed and implemented.
The Business Environment category is broken into subcategories, which are paired with informative resources that will give you further guidance.
XIFIN’s technology stack, which covers the three core parts of the cybersecurity framework — prevent, detect, and respond — is categorized by attack vectors. These include:
- Blocking known bad file extensions
- Scanning for malware
- Rewriting URLs
- Detecting phishing schemes
- Awareness and continuous testing
Testing Your Defenses
Internally, XIFIN analysts are monitoring our controls and systems, while externally, we use a third-party security service provider. This specialized provider looks at our data, correlates it with known threats, monitors indicators, and if anything were to be compromised, alerts our response team immediately.
Regarding a network endpoint, XIFIN performs vulnerability scans and uses the Mitre Attack framework, as well as many open source tools. For applications, we do dynamic application scanning.
Other best practices XIFIN follows:
Security through Employee Training
XIFIN offers extensive employee training. In the onboarding process, new employees meet with security team members to discuss how to handle PHI and various security controls, and new employees receive computer-based training on Day 1. Topics include malware, HIPAA security and revenue cycle regulation and compliance.
Also, all employees receive an annual security awareness training refresher. Employees review significant policy changes, cyber threat trends, and relevant breach examples. XIFIN also publishes a monthly security awareness newsletter that includes the latest threats to PHI.
One way to learn to defend PHI is by establishing simulation attacks within your environment. Typically, the Blue Team is your IT professionals who defend your organization from cyber attacks. The adversarial group trying to infiltrate your defenses is the Red Team.
By using open source tools such as ATT&CK and CAPEC, you can simulate attacks, react to threats, and measure results.
Protecting against cyber attacks requires continuous planning for new and evolving criminal tactics, employee training, a robust budget, and preventative education. In the end, your efforts can save you a lot of money and reputational harm.
For more information on criminal attraction of PHI and shared best practices on physical security, read, “Best Practices for Protecting Customer Data: Focus on Physical Security.”