As we continue to read about the common occurrences of healthcare breaches, most recently August 3, 2016 announcement by Banner Health’s breach of 3.7 million records, I ask myself who, how or what can be done to prevent these breaches?
Here are the perspectives from two industry experts discussing the same technique.
Jonathan Crowe a Senior Content Manager at Barkly, wrote about security solutions and the anatomy of a cyber-attack. He states “there are many, many different variants of malware, over 390,000 reported every day. Crowe goes on to state; the standard approach to dealing with them (malware attacks) has been to successfully identify each and every one and add them to a blacklist.” He suggests “a better approach is to realize the real distinguishing characteristic of malware isn't its signature, it's what it attempts to do.” Crowe’s theory is if you prevent a basic action the malware executes, you could render thousands of malware variants ineffective. He goes on to say organizations “need to be more disruptive, how? By shifting their focus from the signature-matching game to identifying and blocking the common behaviors all malware relies on to function.”
Nir Polak, CEO of data security vendor Exabeam published an article in the HealthIT News on August 3, 2016 regarding ransomware. Polak states that “recent strains understand how to move around a network, to encrypt not only files on employees’ end-points, but also on networked file shares. The impacts to healthcare organizations are therefore growing exponentially.” But this also means that encryption of larger data-sets will take more time, and therefore these firms have a window for detecting and stopping ransomware.”
“We found that ransomware can be reliably detected using behavioral modeling, Exabeam explained. “Based on the goal of reaching the payday or ransom stage of an infection, these programs logically must first distribute themselves, infect a system, stage their environment, scan for data to encrypt, encrypt it, and then finally inform the users what it has done.”
That is where the behavioral modeling can work. But it requires training users to identify and avoid ransomware attacks in the first place. What’s more, the fact that ransomware has such a specific goal actually makes it easier to create a definable kill chain.
The C-suite needs to understand that cost of not engaging and enhancing their IT infrastructure. Last estimate the cost of a breach is $2.2 Million dollars, which does not include the damage to the brand, fines or law suits.
Watch for the release date of JAL’s 2016 Edition of “Practical Guide to Understanding and Implementing HIPAA”
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.