Over the last several weeks we have been getting reports of health organizations being breached through our analytic platform. What these health organizations are failing to realize is that in some cases we can tell where leaked data (shared on DarkWeb, forums, traded in hacking forums, posted publicly or otherwise disclosed) originates based on IP address information. We have witnessed no less than 3 healthcare organizations in the previous week in which we could confirm the data being presented and others in the security industry have also looked at the data and validated that it was current (recently acquired) and that it was existing customers of the providers.
What is occurring more often than not is that these providers are adopting technologies such as cloud, Azure, AWS and other platforms which they do not understand the data governance issues or how to secure the information. All three of these entities we have observed are members of HITRUST which leads us to believe that this "standard" of certification is broken when applied in offsite hosted environments. It seems that when the data is stored on the companies own servers that it is mostly adequately secured from theft but when introduced or migrated to cloud environments, a lack of understanding of the security results in theft and loss of customer information.
Even with regulations such as HIPAA, HITECH and HITRUST CSF and part of the plan, breaches are still happening but not being reported as required by law. In many cases we doubt that the covered entities even realize their data has been lost. In some cases development data provides information that allow the exploitation of live data according to a group of hackers in a popular P2P messaging platform.
HITRUST CSF is the most popular framework in the healthcare industry used to secure customer data. Recent reporting from SecurityWeek shows the same type of activity. We believe that the HITRUST model is not sufficient because it does not cover most non IT related elements that are being exploited to gain access to IT resources and it also fails to address other technical attacks that are being overlooked. The MyCSF risk assessment tools are all based on risk detection automation whereas many attack vectors being used are non IT attack vectors.
Until HITRUST get's a full scope coverage implementation design in place we will continue to see HITRUST certified organizations being breached and even worse not reported when this has occurred.