Skip to main content
Get the article on our blog: What you need to know about your data before you launch your AI project.


Mind the gap—the data security vulnerability that healthcare organizations are tripping over

When boarding the London Underground (the Tube), a recorded announcement reminds passengers to notice the distance between the platform and the train car. These “mind the gap” announcements help ensure that passengers don’t stumble or fall while entering or exiting the train car. Even the tiny gaps that exist at step-free stations can still pose an obstacle for disabled and other passengers.

Like Tube passengers, healthcare organizations must “mind the gap” that exists when it comes to protecting data as it traverses networks, applications, devices, and users. Healthcare organizations haven’t had the ability to see their data and know where or how it’s being used. As a result, cyber attackers have easy access through that gap to conduct malicious activity, steal data, and ultimately hold organizations for ransom.

Malicious activities begin with gaining access to the healthcare organization’s network. Compromised devices or applications are open doors for attackers to gain entry. Computers, servers, and mobile devices typically have several layers of security already around them. But Internet of Things (IoT) devices—insulin pumps, intracardiac defibrillators, monitors, wearables, and others—have unique vulnerabilities that create open doors to attack. Not only can attackers directly affect patient health and safety, they gain access to the entire network for planting malware and other threats. In January 2022, the FBI Cyber Division notified healthcare organizations that 53% of connected medical devices and other IoT devices in hospitals have known critical vulnerabilities.

Phishing emails are another easy point of entry. It takes sophisticated threat prevention, security measures, and continuous training to defend medical data when all-too-human employees fail to recognize a phishing email. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) notes that 90% of successful attacks are generated via phishing emails.

Attackers consider healthcare IT environments to be soft targets because they have complex networks that are challenging to manage, they offer so many potential points of entry, and they feature numerous data silos of rich data. Once cyber attackers gain access, they utilize a range of tools to gain broad, deep access to as much data as possible. As of October, 2022 there have already been 340 documented healthcare breaches with an average cost of $9.4 million. Once in attackers’ hands, data is highly profitable. It’s:

  • Sold on the dark web
  • Used to demand payment for preventing exposure of sensitive data
  • Encrypted in ransomware attacks to extort payment

Many strategies, vendors, and products are designed to protect data, and most healthcare organizations use some or all of these:

  • Categorizing data by level of sensitivity to public exposure
  • Encrypting data at rest and/or in transit
  • Backing up data to the cloud or other external repositories
  • Implementing Network Access Control (NAC) to limit user access
  • Leveraging two-factor authentication for a layer of security beyond just the user ID and password
  • Deploying Data Loss Prevention (DLP) software to prevent sensitive data from being inadvertently leaked

While essential best practices, these measures haven’t prevented cyberattacks nor stopped the onslaught of ransomware. Once a network is breached, none of these methods can detect suspicious data movement or indicators of compromise. Healthcare’s looming gap in data security lies in the fact that they cannot see or know with any confidence what data is traveling through their network, who has it, or how it’s being used.

The infamous data breach at Target is a perfect example. The company’s IT leadership had extensive security methods in place to secure store networks and databases, but lacked a solution to secure data traffic. Hackers started by breaching the network of Target’s heating and air (HVAC) vendor. They then used the vendor’s monitoring access to see each Target store’s environment. With access and network intelligence, they accessed credit card information. If Target had been monitoring actual data traffic, it would have been clear that credit card information should not have been traveling to the HVAC application. Similarly, when Marriott International purchased Starwood Hotels & Resorts, they discovered hackers had accessed the Starwood network and
had been removing data for four years.

The point is, no matter how network access is defined and how many policies are established, to close the gap you need to monitor the data itself and be alerted of improper activity. That’s why data surveillance is critical.

Data surveillance begins by identifying and fingerprinting your data. Working at the binary level, it determines where the data originates, its purpose, level of sensitivity, movement and relationship to other data and users. Data surveillance also can incorporate existing DLP data expressions. It catalogs data content and structures without modifying files. Next, real-time monitoring uses patented techniques to quickly establish a baseline of normal data patterns. It analyzes incoming data, data in motion, and data leaving the environment to continuously update a rolling baseline of normal activity. With a known rolling baseline, data surveillance easily identifies suspicious activity and isolates threats in real time.

Data surveillance delivers comprehensive data chain-of-custody reporting, so you can make informed decisions about security policy and document compliance and cyber insurance readiness. More than simply securing networks and data repositories, for the first time, you can actually secure the data itself—wherever it is, whatever it’s doing, and regardless of who’s using it.

See how data surveillance delivers the data visibility you need. Book a meeting.