Healthcare IT Security Worse Than Retail, Study Says - InformationWeek
Healthcare // Security & Privacy
08:00 AM
Moving UEBA Beyond the Ground Floor
Sep 20, 2017
This webinar will provide the details you need about UEBA so you can make the decisions on how bes ...Read More>>

Healthcare IT Security Worse Than Retail, Study Says

Bad news for healthcare community: New study shows retailers like Target and eBay are more secure than many healthcare organizations.

Healthcare Dives Into Big Data
Healthcare Dives Into Big Data
(Click image for larger view and slideshow.)

Healthcare organizations are rife with insecurity, and it's only a question of when a Target-like attack puts millions of patient health information (PHI) files on the black market, a new study suggests.

A large-scale attack within the healthcare industry could put patients' safety and lives at stake, cautioned Stephen Boyer, CTO of security rating firm BitSight Technology, in an interview. Despite increasing awareness about these risks, healthcare organizations far behind their peers in other vertical markets, Boyer said, citing a BitSight study titled Will Healthcare Be the Next Retail?, released May 28.

Of four industries the study analyzed, healthcare saw the largest surge in attacks and was slowest to respond, taking more than five days to remediate security issues. By comparison, finance took about 3.5 days, and retail and utilities combatted issues within approximately four days. Some healthcare organizations led the market, using best practices and adequate resources, but as a sector, healthcare is weaker than others.

According to Boyer, however, that may be improving. "I don't know of a major breach of healthcare records, but stay tuned. I know that certainly there's worry about privacy. I see more transparency going into the process and I think that's going to put the right incentives in place," he said. "The Target breach was just a watershed moment in the industry. It's changing conversations everywhere we go."

[Are you prepared for insider threats? Read Colleagues In Cuffs: When Employees Steal Patient Records.]

For its report, BitSight analyzed the security performance of Standard & Poor 500 firms based on data such as communication with a botnet, malware distribution, or spam propagation, and determined that last year, 82% of organizations suffered a security compromise. Within the finance, utilities, retail, and healthcare and pharmaceutical industries, healthcare showed the worst performance overall, according to the study.

(Source: BitSight Technology, 'Will Healthcare Be the Next Retail?')

(Source: BitSight Technology, "Will Healthcare Be the Next Retail?")

PHI has real value to thieves. On the black market, Boyer said, a patient's electronic medical record sells for about $20; by comparison, credit card data sells for approximately $1 per card. Some patients could be embarrassed if their health records become public, opening them to blackmail or other victimization. Thieves also sell PHI to those without insurance.

"You can go and get healthcare. You can go and get treatment. You can buy drugs," Boyer said. "Obviously there's fraud. Those visits, those prescriptions, go on your record. That's moving cybertheft into life and death."

Unlike finance firms that have secured money since their earliest days, healthcare organizations are typically comparatively new to the world of data protection. Their mission is to deliver care, not safeguard bytes of data, Boyer explained, so awareness, cognition of the full range of insecurities, and resources are not available across the industry.

The Department of Health and Human Services tackled the issue with a stick: Bigger fines for breached organizations. Earlier this month, for instance, HHS Office for Civil Rights (OCR) settled a $4.8 million HIPAA breach case with New York and Presbyterian Hospital and Columbia University. That scrutiny may only increase in light of retailers' recent breaches, according to Paul Trulove, VP of products at SailPoint.

"On the heels of such well-known data breaches at Target and even [more recent] news of the cyberattack on eBay, auditors are going to put even more scrutiny on healthcare organizations as the data they house is even more valuable than consumer data," he said in an interview.

Rules such as HIPAA and the HITECH Act have generally done a good job of protecting patient data. Often human error causes breaches, Michael Raggo, security evangelist at MobileIron, told InformationWeek.

"I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States," Raggo said. "That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect."

Likewise, Boyer added, older healthcare systems may not include the latest technological safeguards. In fact, he pointed out, one healthcare official recently received an implementation pitch that included computers running Windows XP, an operating system Microsoft no longer supports with security upgrades.

"I know there are some key conversations going on now on things that will improve [healthcare security]," he said. "I'm less optimistic they'll happen quickly. This is not a super agile environment inside hospitals and health organizations. It's going to be difficult to turn around."

If a big breach occurs within healthcare, Boyer warned, patients could react by switching providers or insurers, or being less forthcoming with physicians -- even to the detriment of their health.

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
User Rank: Apprentice
5/28/2014 | 10:03:59 AM
Why ever store credit card numbers?
When I hear about credit card information being at risk at retailers, etc, I wonder why retailers ever store credit card numbers. Once they have an approval from the credit card company they no longer need the card number.
User Rank: Author
5/28/2014 | 9:08:09 AM
Re: healthcare security
Personally I find it absolutely terrifying. There are, however, a few glimmers of hope here.
  • One, as Stephen stressed throughout the conversation, this is an average and some healthcare providers are better than others. Several (including some I've interviewed for InformationWeek) integrate security into everything they do. 
  • Patients are getting more access into their records, giving us the opportunity (if not responsibility) to review them for accuracy. Of course, we've seen this work with varying results in the financial sector; it's challenging to get your credit report fixed sometimes. I cannot imagine how easy it will be to get your EHR amended if it's wrong due to an inaccuracy for your treatment or due to hacking/misuse of your data by another.
  • These increased penalties should make all healthcare providers, large and small, more aware and concerned about breaches and security. However, you can beat companies over the head with examples like Target, eBay, Michael's, TJMaxx, and more and they still make simply fixable errors, so I don't know how much weight this argument carries until an organization itself gets hit. Then everyone within THAT organization definitely cares. But does their competitor? I don't know.
User Rank: Author
5/28/2014 | 8:43:27 AM
healthcare security
Not very reassuring. It's a problem that really needs to be addressed.
<<   <   Page 3 / 3
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll