Over the past few months, I’ve been meeting with security leaders in the healthcare industry. This includes healthcare providers such as hospitals, laboratories, imaging facilities, healthcare payers (such as insurance companies), and healthcare sciences (such as pharmaceuticals). Here’s a recent interview with leading healthcare CISO, Jeff Vinson.
I decided to write a three-part series and outline the various healthcare use cases that came out of my conversations. This is part two of three: healthcare payers. You can find my pieces on healthcare providers here.
One quick note before diving in… I’m co-hosting an upcoming health-care focused webcast with Frank Kim of SANS Institute. Don’t miss it! (Register Here).
Healthcare payers have many of the same concerns as healthcare providers and healthcare sciences, with a few extra use cases of note. Like healthcare providers, healthcare payers are frequently targeted and, according to research by the Ponemon Institute, are in the top three industries in terms of cost for remediating a data breach.
Healthcare payers have vast partner network integrations and require a large number of third-party organizations (these can be healthcare providers, healthcare sciences, brokers, claims professionals, academic institutions, marketers, etc.) to interact with their assets. Having limited visibility into the security effectiveness at these connection points is not acceptable.
Vulnerability and sensitive data are the makings for a perfect malicious activity storm. Detailed medical records, when combined with personal and financial data, can be sold for big money in nefarious circles–sometimes for up to $50 per record, according to a Harvard study. That’s a million dollars for just 20,000 records! In other words: far fewer records than some of the breaches referenced earlier in this blog which resulted in 700k, 500k, and 300k records compromised.
Healthcare payers urgently need to validate their network segmentation and the effectiveness of their preventative and monitoring capabilities. It’s often discovered that communication paths are made available that shouldn’t be and the controls deployed to stop and or detect malicious activity are not properly configured.
Another key issue for payers is fraud. While fraud is an extremely broad term, the areas of focus during my conversations revolved around the abuse of Internet-accessible assets. In particular, the incidence of webservers and their related databases being attacked to steal or alter insurance data (often including patient and payment information) was of high concern. As healthcare payers continue to increase customer accessibility by making more information more easily accessible, the risks also increase.
Verodin SIP for Healthcare Payers
A core instrumentation use case is figured around leveraging Verodin SIP to validate that networks are segmented correctly. Verodin often sees this case being embraced when organizations are going through M&A. In fact, we recently wrote a piece titled “Mergers and Acquisitions with Verodin SIP.” Validating segmentation (and validating that segmentation persists over time), along with assurances that the security tools protecting those segments are working as desired, are powerful Verodin SIP capabilities.
Verodin SIP aids the specific healthcare payer use cases surrounding web servers, databases, and fraud. Healthcare payers will find that they feel more empowered in their business ventures when they instrument their security controls that protect their web servers and databases.
Through the safe execution of real attacks in the production environment, the platform not only validates if the security controls are working but if they aren’t, it prescriptively outlines exactly what modifications need to be made to mitigate the attack.
Once the changes have been made, Verodin SIP reevaluates the security controls to make sure the changes worked as desired. Finally, through the automated leveraging of Verodin’s advanced environmental drift analytics (AEDA), Verodin SIP will alert should any security controls drift from a known good state to a bad state.
Verodin SIP is a powerful platform for healthcare providers, payers, and sciences looking to optimize their security controls, increase value, communicate effectiveness, and reduce risk. To learn more about how Verodin SIP works, check out our website and request a demo.