After reading the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, the overwhelming themes of the study were clear to me: Breaches are so common that no healthcare provider is safe, and almost every patient will eventually become a victim as well. I’ve put together some of my thoughts on the data presented by this study in this post.
Some of the statistics are surprising. Most healthcare organizations that were polled for the study stated that they had been breached multiple times. Almost half of them had been breached more than five times within the past two years. Decisive action must be taken by these organizations, as what’s being done now just isn’t enough.
What’s even more surprising is that with the average cost of a breach being estimated at over $2.2 million, most polled organizations stated that their budgets for information security had not increased. In some cases, they had even reduced their security budget! Without funding the testing and improvement of security, the trends in this report will continue, and likely worsen.
Consistent with the Data Breach Investigations Report, the Ponemon study found that 13 percent of breaches were caused by malicious insiders. While 13 percent might not sound like a large number, when you consider it in the context of the large number of breaches involved, it’s significant. Studies like this continue to downplay insider threats, but if one in ten breaches involves an insider, that adds up to a lot of dishonest people that are being trusted. Organizations must face the fact that internal defenses and network segmentation are required to mitigate modern attacks.
Most of the organizations polled identify employee training as being able to prevent breaches. While this may be a contributing factor, it is not as decisive as one may think. Employee training can increase awareness, but it will not prevent an initial compromise. A phishing campaign (or a more advanced social engineering scheme) only needs one victim out of the entire employee population to be successful. Employee training can benefit the security posture of your organization, but testing and improving the security of your infrastructure should take priority.
Once you have been breached, how do you want to find out about it? Ideally, your own staff would be the ones to discover it. The reality is that a combination of the most painful discovery mechanisms (customer complaint, legal complaints, and law enforcement) account for half of all breaches. If you do not put resources into security monitoring, you’ll be the last one to know about your own embarrassing and damaging breaches.
It’s clear from this study that healthcare is experiencing a crisis in information security—as much or more than other areas of business. It is important to realize that being compliant does not mean you are secure. HIPAA is one of the most rigorous and long standing privacy and security regulations, yet the industry is still in a crisis when it comes to information security. Healthcare providers and other associated businesses must direct resources towards information security and prioritize the protection of patient financial and medical data. Without direct action, the state of information security in healthcare will only get worse.
For weekly insights into cybersecurity, please sign up here: