Many healthcare security leaders are recognizing that compliance activities, while important, are not enough to adequately mitigate the risks of data breaches and ransomware attacks.
In May 2016, the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data revealed that data breaches in healthcare were consistently high in terms of volume, frequency, impact, and cost over the past six years. The report noted that upwards of 90 percent of healthcare organizations experienced a data breach in the past two years, and nearly half had more than five data breaches in the same period. The report further suggests that estimates for the cost of breaches in healthcare could exceed USD $6 billion, with the average cost of data breaches estimated at more than $2.2 million while average cost to business associates in the study is more than $1 million. The report identified ransomware, malware, and denial-of-service (DOS) attacks as the top cyber threats facing healthcare organizations.
In an effort to enable healthcare organizations to better understand the current state of their security readiness and address any gaps in their security programs, Intel Health and Life Sciences collaborated with 40 global industry partners to create a Healthcare Security Readiness Program. The security readiness program is a complimentary service and an assessment to enable healthcare IT teams to benchmark their organization’s security maturity, priorities and capabilities against their peers. Intel and VMWare, one of the industry partners, demonstrated the security readiness program at the 2017 HIMSS Annual Conference and Exhibition this week in Orlando.
“Healthcare organizations are increasingly recognizing they need to go beyond basic compliance to adequately mitigate the risk of breaches and ransomware. So the question is, how much further do they need to go, and that depends on where they stand with their security. Are they lagging? If they are lagging, the breach types we are seeing now are opportunistic and they affect organizations that are relatively vulnerable,” David Houlding, director of healthcare privacy and security, Intel Health and Life Sciences, says.
Through the program, healthcare organizations participate in a confidential engagement with a security assessor to measure their organization’s technical security priorities and safeguards using a healthcare security maturity model. To date the model has been used by more than 60 healthcare and 15 life sciences organizations across nine countries to create a baseline against which participating organizations can measure their technical readiness across 42 security capabilities. The model also looks at administrative controls such as policies, incident response plans and business continuity/disaster recovery capabilities.
Participating healthcare organizations will receive a report summarizing the findings, including their maturity level, how they compare with the rest of the healthcare industry, any gaps in their security and a multi-year plan to improve their infrastructure and security preparedness. Houlding says the report can also help organizations identify where addressing a gap may also help them achieve compliance with privacy and security regulations, data protection laws and standards specific to the healthcare industry. These standards include the Health Information Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR), among others.
Results of the program, to date, show a widespread range of readiness for healthcare organizations across different types of breaches. Cybercrime hacking readiness results show the least prepared healthcare organization having only 25 percent of relevant security capabilities, while the most prepared has 88 percent. The average cybercrime hacking readiness to date is 59 percent, showing that the healthcare industry as a whole has much room for improvement in security and risk mitigation, according to Houlding.
Additionally, the healthcare security readiness program also looks capabilities such as security incident response plans and user awareness training. Of the organizations that have participated in the assessment program, about half have a documented security incident response plan, he says, and assessors have found there are significant gaps with user awareness training and education.
“The conventional mantra is that healthcare security is lagging, so you want to take a data-rich approach to finding those gaps in order to guide efforts to mitigate risk. We work to reduce the risk because, the reality is, that you never quite get it to zero,” he says.
According to Hussein Syed, chief information security officer at RWJBaranbas Health in New Jersey, today’s hackers operate as professional organizations, “meaning they do a lot of planning and diligence before executing attacks. This means healthcare organizations must be equally proactive and thoughtful in how we assess the security of our organizations.” He adds, “This healthcare security readiness program gives healthcare organizations access to a wealth of actionable information, at no cost, and with very little investment of time or resources.”
Chris Logan, senior healthcare strategist, security and compliance at VMWare, says the security readiness assessment provides CISOs with benchmarking data that can help support their cybersecurity strategies when approaching the board. In his time as a healthcare CISO, Logan says, “I could go to the board of directors and say ‘We’re doing all these things to meet compliance,’ but the one thing that was always lacking was, ‘I can’t tell you where we stand.’ What I see in this assessment is that it can help organizations build a strategy and identify the gaps that need to be filled."