Ponemon’s recently published 2015 Study on Privacy & Data Security of Healthcare Data makes one point crystal clear: healthcare organizations must do more to protect sensitive patient information from the wide variety of data breach threats.
A shockingly high 91 percent of respondents reported falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. Healthcare IT teams understand that these percentages are unacceptable, but until now have largely failed to effectively mitigate data breach threats.
Healthcare organizations could view Ponemon’s report as a document that paints IT security in their industry as a failure. I have a slightly different view. This report is one of the most useful resources for helping healthcare organizations start taking the necessary steps to defend themselves more capably against data breaches. With this in mind, here are four takeaways from this report that each and every healthcare organization should consider:
Pay attention to security trends and plan accordingly
Healthcare IT leadership needs to keep a pragmatic, data-driven view of the types of attacks they’re facing, and allocate their IT security budgets accordingly.
Looking at the last five years of Ponemon’s healthcare report, the only category of attacks that has consistently risen is “criminal attack,” which is now the number one cause of data breaches. In 2014, criminal attacks were the number one root cause of data breaches cited by 45 percent of respondents. Other data breach root causes, including lost devices, employee negligence, and system glitches, have remained relatively consistent over the past five years.
Interestingly, when asked what they believed to be the largest security threat, 70 percent of respondents chose employee negligence, which is not at all in line with reality. Criminal attacks are the number one cause of data loss. If healthcare organizations are ever going to get in front of the relentless assault upon their critical, protected health information, a shift in the focus of priorities has to take place.
Implement strong processes and procedures
While over half of the respondents stated they had good IT policies and procedures in place, this percentage should be much closer to 100 than it is currently. With a vast array of regulatory and compliance issues to deal with, as well as the impending threat of criminals trying to steal data, healthcare organizations need to put the appropriate policies and procedures in place for all areas of their security program.
It’s also important to note that some healthcare organizations are placing too much faith in the ability of policies and procedures to prevent data loss. 58 percent of organizations stated that their policies and procedures alone can prevent or quickly detect breaches. This line of thinking is dangerous for the industry.
Make the most out of technology and automation
Strong policies and procedures are fundamental to any good security program, but they cannot be the only line of defense to stop data breaches from happening. Healthcare organizations must marry policies and procedures with technical controls that allow business to continue with minimal hindrance, while still providing the necessary levels of protection.
Only one-third of respondents stated they had sufficient resources to prevent or quickly detect a data breach, and just barely half had the on-staff technical expertise to identify and resolve data breaches. With limited resources available, healthcare organizations need to focus on leveraging technology specifically designed to enforce controls and defensive measures, especially automation tools that can be integrated into systems and processes. Well-implemented technological controls can bolster the effectiveness of the human and financial resources within an organization to better get ahead of attacks.
Build security from the inside out
As part of this effort to mitigate the effectiveness of criminal attacks, healthcare organizations must build IT security from the inside out. Often, healthcare organizations try to harden the perimeter to protect hackers from entering their systems. But as more healthcare organizations utilize cloud-based services, expand their health provider networks over larger physical areas and leverage technologies to allow for more of their employees to work remotely, the perimeter has all but disappeared.
It is far more effective for IT teams to build layers of security closest to the items that require protection. If the loss of laptops is of great concern, encrypting hard drives that contain sensitive information will be more effective than adding new controls to VPN access. If preventing unauthorized access to databases and servers containing sensitive health information is the goal, IT teams should put security and auditing measures in place around privileged account credentials instead of attempting to build more firewall perimeters, which these accounts will likely have access to anyway.