Healthcare organizations need to take several key steps to protect their environments from the type of cyber-attacks that recently affected Anthem Inc. and Premera Blue Cross, says security expert Mac McMillan.
"If we could just start eliminating some of the easy ways that attackers can get in, that more than anything will have the biggest impact," McMillan says in an interview with Information Security Media Group at the HIMSS 2015 Conference in Chicago.
"When it comes to protecting the infrastructure, they need to have a good solid perimeter. We need to start thinking about NAC [network access controls] and the ability to literally interpret folks who are trying to connect to our network," he says.
McMillan, who is CEO of the consultancy CynergisTek, also recommends that healthcare organizations implement a comprehensive mobile device management strategy. "Every hospital we walk into today has a proliferation of mobile devices. There's data on all the devices, and we have to start to accept that, and roll out mobile management solutions," he says.
Another key breach prevention step, McMillan argues, is to more closely monitor business associates, "especially those that are cloud providers. A lot of the tools we have out there today, like data loss prevention, are beginning to offer versions that allow you to monitor the cloud. So we need to do that.
"We need to have a good holistic approach to knowing where our data is, who we're sharing it with and where we're transferring it - and have the right controls in place to address that."
In addition to a continued increase in phishing schemes designed to steal credentials, McMillan predicts a surge in attacks on mobile devices, as well as assaults on big data and cloud storage organizations. "Also, at some point, HIEs [health information exchange organizations] will be a target. If they're the hub in that federated model and I can get into that hub, now I'm in the middle of all that [data]," he warns.
Eventually, consumer wearable health devices will be targets for hackers as well, McMillan predicts. "We're moving fast in these technology areas, and we don't have all the privacy and security answers yet."
Also in the interview, McMillan discusses:
- Why hackers appear to be targeting health insurers;
- Lessons to learn from the Anthem and Premera breaches;
- Why many healthcare entities continue to struggle with information security programs.
McMillan is co-founder and CEO of CynergisTek, an Austin, Texas-based consulting firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of HIMSS' privacy and security task force.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.