The vast majority of hospitals and of other healthcare providers say that security is a key business priority. However, healthcare breach numbers are climbing and the costs associated with these breaches are also trending up. Even with growing regulatory pressures, healthcare organizations cannot fight the rising tide of security incidents. A new survey conducted by the Healthcare Information and Management Systems Society (HIMSS), the 2016 HIMSS Cybersecurity Survey, found that the “story” in healthcare cybersecurity hasn’t changed much between 2015 and 2016.
“This is the second year being pounded by attacks, but the needle hasn’t really moved in our numbers, and that worries me,” says Lee Kim, director of privacy and security at HIMSS. “The hackers believe and have proven that we are low-hanging fruit. You don’t have to be a whiz-kid to break in and get all kinds of data. As long as they are successful, they’ll keep targeting us.”
Healthcare Data is Low-Hanging Fruit
The survey revealed that many healthcare organizations have anti-virus and malware software or firewall protections in place, but more advanced protections are notably absent. This is particularly true for smaller providers. The survey also revealed that only 42% of surveyed non-acute providers have intrusion detection technology. Without this critical layer of protection, healthcare providers likely won’t even be aware when an attack or breach occurs.
Smaller organizations are not the only ones struggling with data protections. Only 68% of hospitals encrypt data in transit, while non-acute providers fare even worse (48%). The pattern continues across other technologies, including data-at-rest encryption, patch management, network monitoring, user access controls, SSO technology, multi-factor authentication or data loss prevention applications. Without layered protections in place, most of these organizations (80%) say have experienced a recent significant security incident.
Right now, the executives surveyed believe that the top vulnerabilities in healthcare are email, mobile devices and the Internet of Things. Ransomware, advanced persistent threat attacks and phishing attacks were the most feared threats, all of which are amplified by the top vulnerabilities. If healthcare executives are aware of the risks and want to prioritize data security, why are we still seeing so many attacks?
From Security Planning to Implemention
There is something lost in translation as organizations cross over from security prioritization to its implementation. Part of the issue is likely a lack of communication across these organizations. Data security may a priority for some parts of an organization, but not others. With a top-down culture of security, data security becomes a priority for all employees. Layers of technology can then be applied to support employee mobility initiatives while increasing IT visibility over data. This strategy can effectively close the gap between “wanting” to be secure and actually “being” secure.
A data-centric approach to security will focus on protecting data, no matter where it lives or moves. The first step is to find out where your data lives, and that’s where we can help. Our new Endpoint Data Discovery (EDD) toolkit in Absolute DDS can help you monitor and protect sensitive data on the move. With our technology, you can tighten the strings on your entire security deployment. Learn more at Absolute.com