New voluntary guidance from the FDA tells medical device managers to address security before submitting devices for pre-market review. This approach underscores the importance of security integration in product design (not just for the device, but for the firmware and systems that host the data) rather than the add-on approach that has failed so many organizations thus far. Learn from this guidance for greater data protection, especially when it comes to PHI security.
The Threat to Personal Health Information
Built-in security is important not just to medical device makers, but any organization hosting personal health information, because this data is highly sought-after by thieves. In the Anthem breach, thieves took the Social Security numbers, birth dates, street addresses, and e-mail addresses of clients, along with medical information numbers, all of which is useful for committing medical fraud. Complete health insurance credentials sell for 50 times as much as credit card information on the black market. BCBS employee Angela Patton allegedly sold screenshots of patients’ financial information to others, who then used the information to fraudulently open credit accounts, spending $742,000 at Sam’s Club alone.
Criminals tend to go after the weakest security link and the health system is ill-prepared to combat fraud. According to the Ponemon Institute, instances of cyber attacks on healthcare organizations doubled between 2009 and 2013. The number of health records compromised climbed 138 percent from 2012 to 2013, and another 25 percent in 2014. The Anthem breach alone is expected to cost the company $1 billion.
The organizations hosting this highly vulnerable data are setting up mission critical and regulated applications in the cloud to cut costs and increase efficiency. Unfortunately, many of them may not be employing state-of-the-art technology as they move to these advanced platforms.
The Role of Cloud Computing
The cloud market has matured considerably in recent years. More businesses use converged or hyperconverged systems, integrating virtual server and storage functions, rather than linking them through a network. Doing so lets companies concentrate applications and resources and gain greater flexibility with mobile workloads, allowing them to be copied, suspended, or moved more easily. In 2013, the hyperconvergence market was worth $5.4 billion. The market is expected to grow to $14.3 billion by 2017. With this explosive rate of growth, it’s clear that companies want these convenient, turnkey solutions that allow them to do more with fewer resources. Building a private cloud accomplishes that, but can leave companies even more vulnerable if not managed correctly.
Realigning Security Strategies for the Cloud
Security as implemented on legacy systems is woefully inadequate in the cloud. Building a system without internal security controls and attempting to protect it at the perimeter creates too many attack surfaces. And, in cloud infrastructure, you have a series of hypervisors underlying the entire system. Combining that with network-based security is a recipe for disaster. Instead, security must be integrated throughout the system, or built in. When security is based on the specific data being accessed, not the entire network, you can minimize privileges based on need, offering the greater security that protected health information requires.
Although virtualization, by way of consolidating systems, creates fewer potential points of entry, the individual points create much larger risks. This consolidation also means you have a single platform that enables much broader control by administrators. With advanced cloud systems, organizations need advanced, built-in security that protects data where it lives. In doing so, organizations gain greater security, along with greater availability and compliance.
HyTrust Offers Advanced Security for Today’s Cloud
HyTrust uses a built-in security method to protect data. With CloudControl’s visibility and granular controls, it’s easier to spot intrusions and to limit access on a “need-to-know” basis. By building controls into the data gateways, not just network entry points, information remains more secure. And HyTrust’s DataControl ensures secure encryption key management to keep data protected wherever it may travel. Contact HyTrust to find out more about how our software can help you mitigate cloud risk.