Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach. In an article on CSO Online, Compliant does not equal protection: our false sense of security, I discuss the nuances of regulatory compliance and how, while important in driving protection standards, they could lead to complacency in setting security standards.
While we have seen many organizations in the healthcare industry with mature security postures, as a whole the healthcare industry continues to struggle with security. According to the latest release of Digital’s Building Security in Maturity Model (BSIMM6), the healthcare industry lags behind other sectors when it comes to software security.
HIPAA regulations have continued to challenge healthcare organizations across the country, exposing major cracks in the foundation of healthcare data security processes. Healthcare organizations have the greatest number of data security challenges of any industry, as the top target for cyber attacks with highly complicated healthcare networks, a growing amount of electronic healthcare records and an increasingly mobile workforce.
The healthcare industry sees 340% more security incidents and attacks than the average industry, according to new research. The 2015 Industry Drill-Down Report – Healthcare reveals that the healthcare industry continues to be highly-targeted, due to the high value of healthcare data as well as the new wave of connected devices adding additional attack vectors to this highly complicated industry.
As of September 29th, the number of overall breaches for 2015 reported to the ITRC has thus far slightly dipped below the 2014 figures, at 563 data breaches, but the number of breached records has already outstripped total 2014 figures, at over 155 million records exposed versus the 81.5 million exposed records in 2014. What’s even more surprising is that the healthcare industry no longer leads in terms of most known breaches. As of the end of the recorded third quarter, healthcare accounts for 35.7% of data breaches, while business accounts for 39.2%. In contrast, healthcare accounted for 42.5% of breaches last year.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a new HIPAA settlement with a small health care provider, which re-enforces the importance of securing electronic health information (ePHI) on the endpoint.
When talking about the healthcare industry, we tend to lump all sectors together. While the data security regulations do not differentiate between subsections in the healthcare industry, there are different risks, challenges, and levels of preparedness amongst the sectors. According to new research out of Crown Records Management, the pharmaceutical sector is woefully under-prepared for current and future data security challenges.
We are more than half way into 2015, with enough time now to assess the impact data breaches have had on organizations this year. The reports so far indicate a growth in targeted attacks, and continued attacks on the healthcare industry.