Most healthcare professionals believe criminals are increasingly targeting healthcare organizations, however, many report that their organizations do not have enough staff and security expertise dedicated to information security, according to a Trustwave survey.
For the 2015 Security Health Check Report, Trustwave surveyed 398 healthcare professionals, including 198 technical respondents (predominantly chief information officers, chief information security officers, IT managers, IT directors and IT vice presidents) and 200 non-technical respondents (physicians, nurses, senior executives, board members, finance professionals and office managers). The survey measures the challenges facing healthcare organizations and the security awareness and expectations of their employees.
Medical records are rapidly moving online and being widely shared among patient and health provider sources, web-connected “Internet of Things” devices and cloud services are expanding the attack surface, and the value of stolen health care data – which enables medical identity theft and insurance fraud – has soared in the criminal underground (reportedly fetching 10 to 20 times as much as financial data, such as credit card numbers), according to the Trustwave report.
The survey found that technical respondents were generally more concerned about security breaches, as 74 percent of technical respondents reported they are concerned about their organization getting breached, compared to 51 percent of non-technical respondents.
However, both segments of healthcare professionals reported they are most concerned about losing patient data in the event of a breach, above other types of information.
Among the technical professionals who took the survey, 35 percent reported that their company does not have enough staff and security expertise dedicated to security and half of respondents said 10 percent or less of their overall IT budget goes toward cybersecurity.
And, close to half (47 percent) of technical respondents reported that their business performs vulnerability testing just once a year or even less frequently, with 5 percent reporting they never do vulnerability testing. Eighty percent report that their organizations conduct a risk assessment once a year.
To address some of these issues, 35 percent of respondents reported hiring more staff with security expertise to manage their organization’s security, and 75 percent said their annual security budget has increased.
“To prevent the theft and use of this valuable data, health care organizations are backing two security measures, according to technical respondents. They are data segmentation (a privacy control that enables patients and providers to control who sees and uses certain sensitive data) and encryption (a well-known cloaking technology that renders data unreadable),” the report authors stated.
Of technical respondents, 94 percent said their organization encrypted information sent outside its network and 89 percent said their organization keeps its most sensitive data segmented from its non-sensitive data via a separate database.
As insider threats also pose a security risk for healthcare organizations, 96 percent of technical respondents said their organization limits access to sensitive information to only those who need it.
The report also highlights the need for buy-in from senior level executive leadership and board members with regard to information security issues and initiatives. Fifty-four percent of technical respondents said they meet with CEO/C-level executives/board members once a year about security challenges, while 35 percent report meeting with senior leadership twice a year or even more frequently.
An organization’s security and risk framework is only as good as how it is perceived and implemented throughout the business. The report authors highlight the need to overcome non-technical employee apathy and misinformation around information security through awareness training programs.
Half of non-technical respondents report that their organization’s security awareness education training only occurs once a year and the report authors emphasize that healthcare organizations should have more robust education and training programs.
The report authors also offer a number of recommendations for breach prevention, detection and response, such as understanding the risk through testing and risk assessment, prioritizing and taking action through awareness training and investing in advanced security solutions, using compliance frameworks for guidance and assessing the security of business partners.