When you hear about the types of organizations that make it a high priority to build a strong information security strategy, healthcare institutions often come up. And why shouldn’t they?
Keeping patients’ data secure and private is vital to maintaining their trust, and it’s also mandated by regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
In large part because of these regulations, hospitals, clinics, private practices and others in the industry have had to step up their efforts to protect patient and other information. A key question is, are they doing enough?
Clearly, hackers and other intruders are doing their part to try to get past the security blockades at healthcare organizations. A report recently released by IDC Health Insights shows that all of the 94 healthcare IT executives surveyed as part of the study reported that they had experienced a cyber attack in the past 12 months. Nearly 40% reported that they were attacked more than 10 times, and 27% of the attacks were described as "successful."
About one out of four of the cyber attacks had an impact on normal business operations.
The report, “Business Strategy: Thwarting Cyber Threats and Attacks Against Healthcare Organizations,” notes that today's healthcare organizations “are at greater risk of a cyber attack than ever before, in part because electronic health information is more widely available today” than in the nearly 20 years since HIPAA passed in 1996.
Cyber criminals look at healthcare organizations as a soft target compared with financial services and retailers, because historically they have invested less in IT, including security technologies and services, than other industries, the report says. This makes them more vulnerable to successful cyber attacks.
Health information obtained in a breach can be used to commit medical fraud, and it’s surpassing the value of social security and credit card numbers on the black market, the firm says, and this increases the attractiveness of stealing health information.
"for healthcare organizations, it's not a matter of if they are going to be attacked but when. Healthcare cyber security strategies need to take a comprehensive approach and include not only react and defend capabilities, but also predict and prevent capabilities to effectively thwart cybercriminals.”
Lynne Dunbrack, Research Vice President at IDC Health Insights
Other industry research sheds light on the security challenges the industry is grappling with. For example, Verizon’s 2014 Data Breach Investigations Report, which examined security threats in 20 industries, said physical theft and loss of laptops and other mobile devices containing patient data is the most significant security threat to the industry, accounting for 46% of security incidents in 2013.
Another threat is insider misuse, including unapproved or malicious use of organizational resources. That accounted for 15% of the security incidents in the healthcare industry in 2013, according to the Verizon report.
The Healthcare Information and Management Systems Society (HIMSS), a not-for-profit organization that looks at how IT can contribute to better health, says electronic health data breaches are a key concern. The 2013 HIMSS Security Survey shows that healthcare institutions need to do more to mitigate insider threats such as inappropriate access of data by employees.
In the previous twelve months, 19% of the 283 IT and security professionals at U.S. hospitals and physician practices surveyed by HIMSS had reported a security breach, and 12% had experienced at least one known case of medical identity theft reported by a patient.
Among the security threats and vulnerabilities the industry is facing is the growth of mobility. Mobile devices and apps have become a vital component in the delivery of services to patients and their families, and many doctors, nurses, administrators and other professionals use smartphones, tablets, laptops and other devices to do their work and provide care.
To support the increasing reliability on mobile technology, lots of healthcare institutions have boosted their wireless network coverage, which introduces potential security vulnerabilities. Also adding to the security challenge is the fact that users have a variety of mobile operating platforms and applications, which can increase the likelihood of malware attacks.
Healthcare organizations are investing in security technology. An overwhelming majority of the healthcare executives surveyed by IDC in its report said their spending on cyber threats increased or stayed the same over the last three years. On average, the increase for those respondents who reported was 15%.
Certainly the regulations serve as an incentive to bolster security. The laws include rules for handling Protected Health Information (PHI) such as patients’ names, addresses, medical conditions and treatments. The fines for non-compliance can be high, and organizations can take a hit to their reputations if they fail to be compliant.
While many health organizations are aiming to be compliant with regulations, the industry research data suggests that they have more work to do to ensure that they’re protected against ongoing security threats.