It's hard to miss all the media attention surrounding data breaches in healthcare. If you're involved in information security at a healthcare organization, it's no surprise to you that more than 143 million individuals have been affected by data breaches since HHS started tracking incidents in September 2009.
Part of the reason for this has to do with the value of the data: Healthcare records have been estimated to be worth between $50 and $500 per record on the black market, depending on who's selling it and how the data will be used. That's much higher than simple stolen credit card data which caused such a stir a few years ago with notable hacks into Target's and Home Depot's credit card data.
But the other big reason for the huge volume of breaches has to do with how relatively unprepared the healthcare industry has been to protect its own data. Healthcare providers, and hospitals in particular, have traditionally followed the "bastion" philosophy of network security, keeping all data securely behind firewalls and allowing minimal traffic from the internet to get into that network. That worked just fine until the recent rapid adoption of electronic medical records systems combined with CMS interoperability requirements came into play.
Now hospitals are being faced with conflicting challenges: Improve their network and data security in the face of increasingly frequent and sophisticated cyberattacks, but at the same time, create portals for patients and providers outside the network to access that same vulnerable data. Hospitals have to look at a wide scope of issues relating to network and data security, but there's one area where many hospitals may not be focusing as much as they should: Web security. Many hospitals have installed on-premise Web Application Firewalls (WAFs), which are the traditional line of defense against web application attacks such as cross-site scripting (XSS) and SQL injection.
However, what we've been learning from hospital surveys as well as from our own hospital customers is that those on-premise WAFs may not be providing the full amount of protection that hospitals are expecting. WAFs require significant management overhead in order to maximize the amount of protection they can provide. They are very complex, and a lot of hospitals tend to underestimate the time, resources and expertise required to maintain them. Often a hospital will install an on-premise WAF, configure it once, and then ignore it. There's a lot of reasons why that won't work, not the least of which that there is no accommodation for changes in attack vectors, which we are learning are changing constantly and becoming vastly more sophisticated.
Supplementing an on-premise WAF with a cloud WAF may be the best solution to this problem. Cloud WAFs filter the bad actors at the edge, meaning they never reach and overburden the hospital's data center. Also, cloud WAFs are operated by companies who are in the business of understanding the latest cyber security threats as they develop, allowing them to keep the cloud WAF rules updated to protect against all the latest attack vectors.
This takes a very large burden off of hospitals, as they no longer need to ensure that they have the resources and personnel in place to stay on top of cyber security trends and ensure their on-premise WAF is constantly properly configured. A cloud WAF solution can be at least one aspect of a hospital's information security program where they can have a reasonably high comfort level that patient data is secure. If only keeping hospital employees from clicking on phishing emails were as easy.