Blog-April-Customer Data-Header

Best Practices for Protecting Customer Data: Focus on Data Breach Prevention and Protocol

With a company’s average cost of suffering a data breach at approximately $3.86 million (IBM/Ponemon Report), cursory defenses are not enough. Data security needs to be part of your culture.

At a recent XIFIN roundtable, Kevin Hagen, XIFIN Vice President of Information Systems, and I discussed how XIFIN protects customer data. Kevin introduced the value of stolen PHI data and best practices for physical security, which you can find summarized in a recent blog post. To continue that conversation, it’s important to understand the different types of data attacks targeting protected health Information (PHI) and best practices for thwarting and responding to data breaches. Here are highlights from my discussion:

A Growing Data Threat Level

The HHS OCR portal lists all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights. It's a valuable tool used by XIFIN in its ongoing efforts to develop best practices for security controls and testing. For example, when XIFIN holds security awareness training, we use statistics and breach information from the HHS OCR list.

But perhaps nothing does a better job of awareness than looking at the problem in terms of costs. According to the IBM/Ponemon Report, if you had a data breach in 2018, your average cost per single healthcare sector record was $408 — an increase of $28 per record from 2017. In comparison, a financial services record post-breach would cost $206, while a services record would cost $181. The study also pointed out (see graphic):

Data breaches are costly and possibly economically devastating. However, there are best practices for guarding against them.

Data Breach Response

An incident response team that is well-trained, prepared, and quick in detection is integral to lowering the cost of a breach. According to the IBM study, the following items can help reduce the cost per record after a data breach:

  • Incident response team — $14 per record
  • Extensive use of encryption — $13.1
  • BCM involvement — $9.3
  • Employee training — $9.3
  • Participation in threat sharing — $8.7
  • Artificial intelligence platform — $8.2
  • Use of security analytics — $6.9
  • Extensive use of DLP — $6.8
  • Board-level involvement — $6.5

NIST Cybersecurity Framework

The NIST Cybersecurity Framework, the result of an executive order from President Obama in 2013, mandates that all critical infrastructure companies follow established standards, guidelines, and best practices to manage cybersecurity-related risk. For non-critical infrastructure companies, the framework is voluntary.

XIFIN uses the framework for guidance on many systems. Key objectives include supporting organizational missions, fulfilling cybersecurity requirements and compliance, and managing vulnerabilities and threats in the environment.

The core of the framework has five functions: Identity, protect, detect, respond, and recover. Each of those is broken down into a total of 23 categories. The goal is to use everyday language so that people from C-level down can have a shared language and understand what's being discussed and implemented.

The Business Environment category is broken into subcategories, which are paired with informative resources that will give you further guidance.

XIFIN’s technology stack, which covers the three core parts of the cybersecurity framework — prevent, detect, and respond — is categorized by attack vectors. These include:

  • Email — As pointed out by the HHS OCR Data Breach Portal, email is a large target of hackers. XIFIN has two platforms for email traffic: Mycast and Office 365. Mycast is an excellent solution for analyzing email and has a high rate of malware detection. It also has an excellent spam detection rate. We use Office 365 for DLP and advanced threat protection. The security team also conducts monthly phishing exercises and reporting. Remember, email threats are on the rise so concentrate on prevention by:
  • Blocking known bad file extensions
  • Scanning for malware
  • Rewriting URLs
  • Detecting phishing schemes
  • Awareness and continuous testing
  • Application — XIFIN uses purpose-built rules within its intrusion prevention systems, along with a web application firewall. The intrusion prevention systems look for signatures that are in ACDB headers and other protocol traffic.
  • Endpoint — Since the endpoint is a beachhead for people establishing lateral movement within your environment, you must protect and log endpoints. XIFIN uses a suite of agents to combat endpoint challenges, such as detection response, anti-virus, and DLP, which all go through a network proxy to access anything on the Internet

Testing Your Defenses

Internally, XIFIN analysts are monitoring our controls and systems, while externally, we use a third-party security service provider. This specialized provider looks at our data, correlates it with known threats, monitors indicators, and if anything were to be compromised, alerts our response team immediately.

Regarding a network endpoint, XIFIN performs vulnerability scans and uses the Mitre Attack framework, as well as many open source tools. For applications, we do dynamic application scanning.

Other best practices XIFIN follows:

  • Security approval and audit of all information system access requests, including quarterly internal auditing
  • An extensive change management process that includes an Application Review Board and Database Review Board that meet twice a week
  • Risk management protocols include: NIST SP800-30 – Guide for Conducting Risk Assessments, NIST SP800-39 – Managing Information Security Risk
  • Third-party assessments

Security through Employee Training

XIFIN offers extensive employee training. In the onboarding process, new employees meet with security team members to discuss how to handle PHI and various security controls, and new employees receive computer-based training on Day 1. Topics include malware, HIPAA security and revenue cycle regulation and compliance.

Also, all employees receive an annual security awareness training refresher. Employees review significant policy changes, cyber threat trends, and relevant breach examples. XIFIN also publishes a monthly security awareness newsletter that includes the latest threats to PHI.

Red Teaming

One way to learn to defend PHI is by establishing simulation attacks within your environment. Typically, the Blue Team is your IT professionals who defend your organization from cyber attacks. The adversarial group trying to infiltrate your defenses is the Red Team.

By using open source tools such as ATT&CK and CAPEC, you can simulate attacks, react to threats, and measure results.

Protecting against cyber attacks requires continuous planning for new and evolving criminal tactics, employee training, a robust budget, and preventative education. In the end, your efforts can save you a lot of money and reputational harm.

For more information on criminal attraction of PHI and shared best practices on physical security, read, “Best Practices for Protecting Customer Data: Focus on Physical Security.”

Published by XIFIN
Share This Post:

Sign Up for Blog Alerts

Search Blog Posts

Blog Posts By Date

Blog Posts By Tag