The healthcare industry has become increasingly exposed to cyberattacks. In 2015, 36% of compromised records were healthcare related, making it the number one industry for data breaches.

Perhaps this should come as no surprise as confidential personal data from healthcare organizations is particularly lucrative for hackers. Criminals know it’s likely to include not only names and dates of birth but also insurance and financial information.

And, thanks to the boom in cloud computing and application-based connectivity, there’s no longer one single point of entry for a hacker to access a company’s system. The attack surface for cybercriminals targeting hospitals and clinics has increased exponentially, and there are now multiple entry points to exploit.

Encryption at a single layer is no longer sufficient to guarantee protection.

The nature of attacks is constantly changing. Traditional tools like firewalls and newer technologies like data analytics will help find breaches and improve policies to reduce the risk, but will not stop them.

While there is no single encryption standard used today, security teams can turn to proven encryption algorithms that have been tried through years of use and tested by industry and academia. Key exchanges using Diffie-Hellman and data-block encryption using the Advanced Encryption Standard (AES) are both recognized as being the best methods to safeguard data in flight.

But criminals will always look for weak links to attack. And, with so much emphasis on application layer exploits, little attention is being paid to the lower network layers.

In the past it was thought that only nations had the ability to access physical facilities. With today’s technology, it’s possible to build a facilities reader for less than $2,000 using parts readily available on the open market. By reading the data streams, a criminal can look for security weakness in both the company and their vendors, the goal being to gain the credentials necessary to breach the company’s security. And the exponential growth in data transmission creates exponentially more opportunities to exploit.

Layer one encryption protects the actual optical signal from attack. Operating at the photonic level allows for nanosecond latency, creating virtually no delay for encrypting and decrypting the data in flight. Using US National Security Association-strength AES-GSM 256 block encryption, data is secure from the most ardent attacks. According the the National Institute of Standards and Technology bulletin released in April 2016, AES will be able to protect encrypted traffic even from quantum compute attacks (although this will require longer keys).

One organization planning to implement this level of protection to secure patient records is Pennsylvania-based healthcare provider WellSpan. It’s chosen to deploy the ADVA FSP 3000 ConnectGuard™ solution between its data centers using a protected ring topology. This will support encrypted streams of up to 100Gbit/s with automatic key management.

The data being accessed by the hospitals and clinics will use encryption based on the medium traveled. For instance, the connection to some hospitals will rely on dark fiber. In this instance, the ADVA FSP 3000 can connect using a lambda wave to an FSP 150 XG210, which can encrypt the data flow to locations around the sub-ring. Packet-based services will feed satellite hospitals providing services such as voice over IP, data exchange for healthcare workers, and patient records.

The benefits of a multi-layered protected network ensure the maximum protection for data in motion. Layer 1 and 2 encryption is hardened against man-in-the-middle attacks. This is the most robust protection available today and it comes at a small premium over the cost of the equipment presently in use.

Clinics can be attached to the network through virtual LANs (VLANs) and using an advanced software-defined WAN (SD-WAN) connectivity that separates high priority or latency-sensitive applications. Using SD-WAN-encrypted connectivity offers significant savings by routing the lower priority encrypted traffic through the cloud and thus requiring less VLAN capacity. These savings mean it delivers a return on investment within months.

SD-WAN protection can create a micro segmented solution that will limit the damage of any breach through credential stealing. In the case of the health insurer Anthem, information on 80 million people was compromised. Poor management of encryption and passwords contributed to the breach, but once an administrator’s password had been stolen, the thieves should not have had an all-access pass to the encrypted data.

To maximize security and cost-efficiency, network functions virtualization (NFV) is becoming a critical component of network security. By utilizing NFV in its clinics, WellSpan can realize the savings of a single platform that hosts all of its many different appliances. Firewalls, routers and SD-WAN functions can now be installed and monitored in real time.

As new threats are detected, network-wide upgrades or additional functions can be dynamically added so that security functions can be brought up and taken down whenever anomalies are remotely detected.

Protecting data in flight at the lowest network layers, while also utilizing NFV for efficiency and control, gives WellSpan the best defense against the growing number of cybercriminals choosing to prey on healthcare data or ransom hospitals. Given the enormous value of sensitive healthcare information and the huge cost of every data breach, it looks likely that WellSpan’s strategy will be adopted by many more healthcare providers in the next few years.