As part of an ongoing series, we’re examining the security and compliance needs and challenges in a variety of industries, and the implications for value-added resellers (VARs) and managed services providers (MSPs). In this post, we look at the healthcare sector.
Few industries (financial services being another), have been as scrutinized over data security and privacy issues as healthcare. With the advent of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals, clinics, private practices, health insurers and others in the industry have had to become super diligent about protecting patient information.
These laws include rules for safeguarding protected health information (PHI) such as patients’ names, addresses, medical conditions, treatments, etc.. The fines for non-compliance can be stiff, and the damage to organizations’ reputations can be severe and long lasting. So it should go without saying that compliance with HIPAA and other regulations is a high priority for healthcare IT, security and risk management executives.
The industry faces a number of security threats and vulnerabilities. For one thing, mobile technology has become an extremely important component in the delivery of quality services to patients and their families. It’s not unusual to find many doctors, nurses, administrators and other healthcare professionals using tablets, smartphones and other mobile devices to take notes, store records, access data and share information with colleagues.
To support the growing use of mobile devices for staff as well as for patients, visitors and business partners, many healthcare institutions have increased their wireless network coverage, and that introduces potential security issues. In addition, the wide variety of mobile operating platforms and applications in use, exacerbated by the bring-your-own-device (BYOD) trend, could mean a greater likelihood of malware attacks.
Another security issue in the industry is the growing use of server and desktop virtualization, to significantly reduce hardware costs and increase flexibility. But as more users in healthcare leverage virtualized environments, the result can be an increase in the threat level as environments evolve faster than security.
Recent industry research provides some insights into the security issues facing healthcare companies.
The Verizon 2014 Data Breach Investigations Report, which looked at security threats in 20 different industries, noted that physical theft and loss of laptops and other mobile devices containing patient data is the most significant security threat to the industry, accounting for 46% of the security incidents in the industry in 2013. That was by far the highest percentage of any industry.
Another major threat is insider misuse, including any unapproved or malicious use of organizational resources, according to the Verizon study. That accounted for 15% of security incidents in the healthcare industry in 2013. Next was unintentional actions that directly compromised patient information, which was the reason for 12% of security incidents in the industry.
In another report, the Healthcare Information and Management Systems Society (HIMSS), a global, not-for-profit organization focused on better health through IT, found that electronic health data breaches remain a primary concern despite increased use of security technologies and analytics.
The 2013 HIMSS Security Survey shows that, despite progress toward hardened security and the use of analytics, more work must be done to mitigate insider threats such as the inappropriate access of data by employees. In the previous twelve months, 19% of respondents had reported a security breach and 12% of organizations had suffered at least one known case of medical identity theft reported by a patient.
The survey looked at the data security experiences of 283 IT and security professionals at U.S. hospitals and physician practices. The data suggests that the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers, according to HIMSS.
There has been increased use of several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records, the report said. And although more than half of the survey’s respondents have increased their security budgets in the past year, 49% of these organizations are still spending 3% or less of their overall IT budget on security initiatives that will secure patient data.
To address the various security threats they are facing, healthcare organizations need to take steps such as deploying the latest endpoint security, anti-malware, network access control and other security solutions. But they also need to develop a comprehensive strategy that includes policies as well as technology.
VARs and MSPs have a big potential role to play in helping companies in this sector create stronger security postures.
If you’re not already doing business in this sector, start by learning about regulations such as HIPAA and HITECH, and determine how you can put together a service package that addresses the key security needs of an industry that’s so vital to society at large.