The recent cyberattack on Excellus BlueCross BlueShield is unfortunately another in a long list of healthcare and insurance company data breaches. According to a recent report by KPMG, In the past two years, 81 percent of hospitals and health insurance companies have had a data breach.
Many companies try to comply with regulations, like HIPAA, in the most minimal ways. They meet the letter of the law, but don’t do enough to protect healthcare data from sophisticated hackers or trusted insiders who are intent on stealing information. While HIPAA says you must protect data and even defines encryption, it doesn’t say how. In many cases companies don’t encrypt the data itself, but only use perimeter based security to deny access to it. As we can see from this and other attacks, the bad guys are getting in, so the perimeter security isn’t enough.
Most companies store sensitive information in files or databases. Users create files and may store them locally, move them to a file share, move them to a cloud file-sharing service or upload them to a content management system. All these systems have some level of access control to prevent an unauthorized user from accessing the files. If an authorized user moves the file out of the file repository and shares it with an unauthorized user, that person can do anything with the file. Once out of the system, the access protection is no longer valid.
The same is true of a database. There are access controls to limit data access and in many cases the data is encrypted, but if someone localizes the data by running a report or downloading the data into a spreadsheet, that person can do anything with the data. The encryption and access control are gone.
Protecting the data at the source with strong encryption and multi-layered authentication guarantees that only authorized users can access this sensitive information. This goes well beyond a simple password to access a file. Applying persistent security that travels with the data ensures that if any unauthorized user gets the information, it will be inaccessible. If the person tries to open it, they will see a bunch of random bits. The data is always under control and you can even remotely kill access to it.
I fear these incidents will only increase until these companies take serious steps to protect the data.
Photo credit frankieleon