I recently attended the annual RSA conference and it reaffirmed my belief that 2016 is the year of big data and analytics, across all industries and especially in healthcare.
I honestly lost track of the number of companies on the expo floor at RSA who focused on user behavior analytics, That said, the capacity of leveraging UBA to identify the presence of “threat actors” in the IT environment, and to report those threats in visual dashboards of increasing sophistication, further proves we are at an exciting time in our industry.
There is virtually no room for error when it comes to serious cyber threats, particularly when patient privacy or life and death decisions are at stake. In February, Hollywood Presbyterian Medical Center in Southern California fell victim to ransomware and ended up paying roughly $17,000 to get the decryption key so it could regain control of its files and data.
While that amount is miniscule for a hospital that has an operating budget of millions of dollars a year, it’s alarming to see how easy it is for internal or external threat actors to take advantage of poor security.
Even more concerning was that this ransomware incident was a direct result of an employee falling victim to a phishing attack, one of the most efficient, yet low-tech attacks in the cyber realm. This employee likely went through annual HIPAA training, but as this incident proves, annual training is not enough because training is a process, not an event. Additionally, there were likely telltale indicators that this employee needed additional training, but without something like behavioral analytics, these indicators were missed and, as a result, no pre-emptive training was delivered.
While few companies have yet developed the capacity to integrate UBA directly with training, it is the logical next step and the only way we’ll be able to deliver the right training to the right person at the right time. In the near future, data and trends informed by user behavior will identify these risky behaviors, enabling administrators to deliver training at “the spot of the foul,” to borrow a sports metaphor. In this particular instance, had UBA been informing training, hospital executives likely would have flagged the errant employee behavior and delivered ongoing training to prevent him or her from falling victim to a phishing attack.
Patient data is among the most sought after data by cyber criminals, and this data constantly changes hands between clinicians, support staff and payers. The onus is on them to protect patient data, and the best way to do this is with regular, ongoing training. A method of training I’d recommend is to leverage insights from UBA (and other tools designed to identify problematic behavior) to target the specific needs of employees and organizations. Anticipating bad employee behaviors in your employee population is the key to getting ahead of cyber threats.
We’re at an exciting point of change in data security and healthcare. We see a clear-cut path to a more security-aware healthcare system, thanks to the advancements being made in UBA and just-in-time training.
The culture of security awareness will only strengthen as these two security disciplines become more intertwined, enabling employees to stay up-to-date on the latest cyber threats and best practices to ensure the safety of healthcare data.