This is the fifth in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017
Recent ransomware incidents have put a spotlight firmly on the state of security within healthcare and there’s a perception that this industry is trailing others. Is that fair?
If we look at data loss prevention (DLP), which is particularly relevant with GDPR now less than a year away, then the 2016 Data Protection Benchmark Study from the Ponemon Institute, sponsored by McAfee, sheds some light. It puts healthcare “running about six months behind other industries” in terms of DLP deployment length and maturity.
And that’s important, not just because healthcare can be a matter of life and death, but because of the value of that particular data. Ponemon puts an average value of $355 on each patient record.
Meanwhile healthcare comes in second to only financial services in Verizon’s 2017 Data Breach Investigations Report, accounting for 15 per cent of all breaches.
So is this a perfect storm? On the one hand GDPR will mean significant penalties and a consistent framework to adhere to, while on the other hand the bad guys see an industry with valuable data that could be better protected.
Intel’s recent research, of 88 healthcare and life sciences organisations spanning nine countries, highlights a staggering range in readiness for attacks by ransomware, for example, judging by the number of relevant security capabilities these organisations have in place. It may seem strange to connect a discussion on GDPR and ransomware but it makes sense. What is ransomware if not a denial of service against data and how can you be sure that attackers can’t access the data they just encrypted? If you can’t stop the ransomware in the first place, there is a good chance you can’t stop the exfiltration in the next phase of the attack.
However, there are sensible steps the healthcare industry can take to become GDPR-ready. For these causes of data loss in healthcare, for example, Verizon’s report recommends specific actions:
Miscellaneous errors – which in 76 per cent of cases are embarrassingly pointed out by a customer – Have, and enforce, a formal procedure for disposing of anything that might contain sensitive data. And establish a four-eyes policy for publishing information.
Physical theft and loss – Encrypt wherever possible data at rest and establish handling procedures for printing out sensitive data.
Insider and privilege misuse – Implement limiting, logging and monitoring of use, and watch out for large data transfers and use of USB devices.
We would more broadly add that you can’t protect what you can’t detect. Visibility is key. As the Ponemon research put it, DLP solutions should cover data at rest, in processing and in motion, on the corporate network, endpoints and clouds. They form the basis of a good data security programme. Adequate staffing is also important and while automation and machine learning will help, they cannot replace staff entirely.
Some final guidance: Organisations can protect their sensitive data and be more likely to be GDPR-ready by taking these five critical steps:
- Conduct an Impact and Readiness assessment
- Review current data security programme to ensure you can prevent accidental and malicious data theft attempts
- Assess application and DevOps security controls and procedures
- Review your use of cloud infrastructure and software-as-a-service to minimise exposure to data loss
- Develop specific data breach detection and response capability in the SOC
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.