More than one study reveal the trouble the healthcare industry continues having when it comes to information security and taking threats seriously.  A brief outline of the different findings (from three separate surveys) can help to spotlight some of the issues at hand.

 

The Global State of Information Security Survey 2015

  • Security incidents have soared 60% in healthcare.
  • The cost of a security breach has leapt to 282% in healthcare.
  • The healthcare industry cites access control and identity management for end users as their top challenge.

 

6th Annual HIMSS Security Survey

  • 25% of respondents reported having either a case of medical identity theft or a security breach.
  • In US healthcare, insider threat is motivated by workers snooping on relatives/friends (80%), financial identity theft (66%), and identity theft (51%).
  • 60% of US healthcare organizations do not have two-factor authentication implemented.

 

5th Annual Privacy and Security of Healthcare Data Report by Ponemon Institute

  • 91% of respondents reported falling victim to at least one data breach in the last two years.
  • The majority of respondents suffered 11 or more incidents.
  • 58% of organizations stated that their policies and procedures alone can prevent or quickly detect breaches.
  • 56% of healthcare organizations and 59% of business associates (BAs) don’t believe their incident response process has adequate funding and resources.
  • In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

 

In addition to the above surveys, our company has found healthcare organizations to have 2000 plus high vulnerabilities per assessment conducted.  Not 11 or 100, but 2000.  What all this information tells us is that the healthcare industry as a whole has yet to make security threats a priority or if they are, they continue to lack in doing enough to secure their environment and data.  For example, thinking that policies and procedures are enough to prevent or quickly detect a data breach is highly erroneous.  Add to this inadequate funding and resources for incident response.  It’s no wonder these organizations have suffered 11 or more incidents in the past couple years.

 

Another focal point of the studies shows the increase in healthcare incidents.  This trend indicates that threats aren’t going away, quite the contrary.  One of the reasons is most likely the value behind medical records on the black market.  They are worth 10 times more than credit card numbers and can be used by those who have them to buy medical equipment and drugs or to resell them and use them to file fraudulent claims with insurers.

 

From the studies we also see how HIPAA compliance isn’t enough to secure healthcare data; especially when organizations and business associates aren’t even meeting the requirements like performing risk assessments for security incidents.  If that weren’t enough, we continue to see limited funding for security by healthcare organizations.

 

With an increase in threat incidents and high-profile breaches, such as the Anthem hack, what is stalling healthcare executives and CIOs in making a change on how they approach security?

 

  • The risk management challenges they face can be easily resolved if they take action.
  • The security skill gap is resolvable with expert security consultants and teams that can come in to do what the in-house IT team can’t do.
  • HIPAA compliance provides a starting basis to start a risk management implementation.
  • Breaches cost more than implementing a long-term holistic security posture.
  • Industry news and surveys provide valuable and helpful information on security, on threats, and on events that can further educate and inform CEOs, CIOs, and staff regarding risk management as a whole.

 

These are only five of the most obvious reasons why it’s not possible for healthcare organizations to continue their lax security approach.  It’s not a matter of when this becomes obvious, but a matter of when do organizations want to ensure the safety of their patients, employees and enterprise.

 

What security steps have you taken to secure your PHI and overall environment to avoid data loss?

 

Photo courtesy of Maksim Kabakou