Healthcare providers require applications and online services to streamline processes, manage patient data and cut costs. The growth of online services and web-based content introduces new challenges, including managing and securing large volumes of patient data and 24×7 access to critical applications to ensure a quality experience for users.
As healthcare organizations transition to electronic record keeping and deploy more online services, health records are increasingly vulnerable to digital theft. Healthcare records are highly valuable to cybercriminals because of the types of data they contain, including insurance information, payment details, addresses, etc. Everything that a cybercriminal requires to obtain a bank loan, commit tax fraud or send fake bills to insurance companies is contained in medical records.
Radware’s 2019–2020 Global Application and Network Security Report shows that the top
two healthcare security concerns are data security and service and application availability.
Protecting Sensitive Data
October 2019 was the worst month for healthcare data breaches since the Office for Civil
Rights began listing breaches on its website in 2009, according to the 2019 HIPAA Journal.
Data breaches are still occurring more than once a day, with the average breach size
increasing by 30.1% to 18,208 records in November 2019.
Radware’s 2019–2020 Global Application and Network Security Report reflects this trend:
36% of healthcare respondents stated that they experienced daily/weekly cyberattacks in 2019.
The healthcare industry is relatively unprepared to keep data secure. It struggles with understanding the existing threat landscape while staying ahead of new threats. For example, the FDA issued new guidelines in 2018 for data security in medical devices. Medical devices, ranging from health applications on a smartphone to insulin pumps, are increasingly network connected, creating new security vulnerabilities. Exploitation of these vulnerabilities can lead to data breaches and even fatalities.
The healthcare industry began migrating to public cloud environments with noncritical workloads. Having seen that the benefits outweigh the risks, it has now begun migrating mission-critical infrastructure to reduce costs and transform operations while providing higher levels of service and engagement.
Based on the aforementioned Radware report, one-third of healthcare respondents reported web and application intrusions as the top cloud computing concerns, followed by credential threat and malware.
Staying Open for Business
Healthcare providers depend on websites and online services. Their networks and applications must be available 24×7 to allow patients and healthcare professionals to access resources. Healthcare respondents to the aforementioned Radware report indicated that the most frequent attacks were malware and bots, social engineering and DDoS attacks. Greater than 40% reported productivity/operational loss, followed by negative customer experience and intellectual property loss as repercussions of successful attacks.
The global wearable medical devices market is expected to surpass $29 billion by 2026,
according to Transparency Market Research (TMR). The rapid adoption of wearable healthcare technology has been driven by an increasing population of diabetics and wellness enthusiasts interested in tracking health metrics, according to the report.
Concerns about data privacy and security are impacting this growth. According to Radware research, IoT devices don’t have built-in security. Instead, wearable equipment manufacturers have focused on data collection and price sensitivity for production and sales. Service providers, who have to defend their own networks from threats launched from IoT devices, could potentially offer a managed network service to defend enterprises from attacks.
Healthcare providers face many operational and security challenges, and should consider the following capabilities when choosing a security solution:
- A web application firewall (WAF) solution that uses a positive security model and machine learning algorithms to provide adaptive defense against the OWASP Top 10 and other threats.
- The ability to identify exposed assets and remove excessive permissions, detect misconfiguration issues and detect and defend against data breaches.
- Behavioral-based hybrid attack mitigation, combining on-premise detection and mitigation with cloud-based volumetric attack scrubbing.
- Keyless SSL attack protection, which defends against encrypted attacks without adding latency and impacting legitimate traffic.