Healthcare

The problem with healthcare and info sec is the primary objectives of healthcare. Fortunately for all of us the directive of the healthcare industry is patient care. Prima facie, this is common sense. The hospital or other facility in fulfilling its mission has to share data (patient records, prescriptions presently being taken, treatment plans, etc.) among multiple parties. This provides an opportunity for breaches as the endpoints for attack increase exponentially. Instead of one person or group having access, there are many others who require this.

The increase in the number of persons with access provides many more targets for social engineers. This increase in vulnerable endpoints allows for work to be focused on exploiting and breaching the healthcare provider. A not so gentle reminder of this issue are the hospital breaches and encrypted files/servers, especially the recent example in Hollywood with the ransomware payment of $17k, and the infamous OPM breach.

To mitigate this, there is a simple formula. The issue has been and will continue to be difficult for the user to implement. The most direct integration strategy involves training. The standard training regimen is completely applicable. With the data flow and number of endpoints, coupled with the liability to the entity in the event of a breach, additional training is reasonable. The staff members (nurses, nursing assistants, physicians, physician assistants, and others) need to know what to be aware of. The training would need to focus on the spear phishing, methods social engineers use to gain the rapport of others, so the staff members are aware of what modes of attack may be used.

With this being done, the opportunity for a successful breach would be lowered.