Whether it’s a ransomware attack, data breach, or another unnamed method that exposes and exploits private, sensitive, or proprietary data, 2021 is shaping up to be the “year of the breach,” with healthcare orgs among the prime targets. Last week, Humana became the latest healthcare org to fall victim to cyberattack when hackers leaked medical data of over 6,000 patients, acquired through a third-party app for Medicaid Advantage members and agents.
In the first half of 2021, 360 breaches exposed almost 23 million patient records — which is higher than any other six-month period since the US Department of Health and Human Services’ Office for Civil Rights (OCR) began keeping track. This shouldn’t come as a surprise, because healthcare organizations:
- Manage and store lots of valuable data. Vast amounts of data is shared between an increasing number of physical and virtual entities both inside and outside the entities’ IT network.
- Maintain large, expanded third-party networks that can be exploited (physicians, researchers, business associates, insurers, payers, etc.).
- Rely heavily on technology for virtual care, connected medical devices, diagnostics, and patient engagement.
- Struggle to secure sensitive data as it flows between their hospital clinical engineering/IT networks, clinician remote access points, virtual care platforms, third-party healthcare partners, and even patient home networks.
The considerable amount of blind data sprawled across the healthcare ecosystem, sitting on flat, vulnerable networks with poor access controls, has made healthcare the low-hanging fruit for hackers who’d rather work smarter, not harder.
While there’s no single remedy, adopting Forrester’s Zero Trust strategy can help most healthcare delivery organizations. In our recently published report, The Zero Trust Security Architecture For Healthcare, my colleague Alla Valente and I discuss how new risks of the post-COVID delivery model put Zero Trust front and center in healthcare delivery organizations. Among the recommendations are the need for an overarching security strategy, visibility into the risk associated with third-party data-sharing relationships, and accelerating innovation without jeopardizing safety, privacy, and security.
If you are responsible for security at a healthcare provider and would like to learn more about this, please schedule an inquiry call with myself or Alla today.