Healthcare Security In 2015: 9 Hotspots - InformationWeek
Healthcare // Security & Privacy
08:36 AM
Alison Diana
Alison Diana
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Healthcare Security In 2015: 9 Hotspots

With data breaches growing, 2015 promises to be the healthcare industry's most challenging security year yet. These nine areas demand attention in 2015.
1 of 11

Healthcare organizations must tighten security or risk getting breached, penalized, and potentially ostracized by a public fed up with seeming carelessness with their personal information. Unfortunately, the task of securing protected health information (PHI) is only becoming more challenging for even the best-prepared organizations. Fitness bands, hospital portals, electronic health records, health information exchanges, insurance networks -- the list of Internet-connected devices, tools, and sites containing personal and medical data keeps growing.

The healthcare sector has been under attack for some time. In 2014, despite headlines dominated by JPMorgan Chase, Home Depot, and other retail or financial entities, the healthcare industry accounted for 43% of all major breaches, according to the Ponemon Institute.

Even attacks on companies that don't operate within the medical field can have healthcare-related consequences. When Sony Pictures Entertainment was hacked in November, cyberthieves apparently stole more than movies. They reportedly also took more than 25 gigabytes of data on tens of thousands of Sony employees, including medical and salary information, Social Security numbers, and addresses, according to Krebs On Security.

Within healthcare organizations, a whopping 93% of information held requires protection, according to EMC's The Digital Universe report. The data includes claims requests, PHI, and medical records. Yet only 57% of this information is "somewhat protected," while 43% is inadequately safeguarded, the report found. But IT professionals must balance security needs against healthcare professionals' need for fast access to data and applications; extra clicks can make a difference in a patient's life, after all.

"With the continuation of high-profile hacks, IT security, specifically distributed or mobile security, will be a renewed priority for many organizations," David Appelbaum, senior vice president of marketing at Moka5, told InformationWeek. "No one wants to be the next headline, and as the stakes go increasingly higher, the need for enhanced security that does not inhibit end-user productivity is becoming increasingly more of a requirement."

Healthcare organizations have been warned about the consequences of an insecure environment, and the cacophony of cautions grew following the Community Health System breach in August. Still, a frightening number of healthcare providers continue to ignore the alarms from a federal alphabet soup of agencies, including the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Food and Drug Administration (FDA). Consider:

  • More than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week, according to Forrester Research.
  • Sixty-eight percent of the industry's breaches since 2010 have occurred because files or devices were stolen, the Bitglass 2014 Healthcare Breach Report determined.
  • Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, Websense Security Labs' Carl Leonard told TechNewsWorld.

Attackers also are becoming more sophisticated, experts warn. Cybercriminals are seeking more information than ever about their victims to sell, Websense researchers cautioned. "These fuller, richer, personal identity dossiers of individual users, consisting of multiple credit cards, regional and geographic data, personal information and behavior, will be increasingly traded in the same manner that stolen credit cards are today."

Because this information often resides within health systems' databases or networks, hospitals are natural targets and require extraordinary defenses.

With so much cyberdanger to battle, it seems obvious the healthcare industry will face additional crises in 2015. None of the underlying security issues are new, but all are crucial to address. Click through our slideshow to see the nine security hotspots we predict for healthcare in 2015.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

1 of 11
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/15/2014 | 11:34:22 AM
Re: Ramp up the health care data security program
I wish i could take credit for some incredible foresight, @aws0513 -- but I think ANY time would be right to compile an outlook piece about healthcare security, I'm afraid. While we don't always hear about them on the national press, search online for healthcare breaches and you'll find a guesstimated one a week. That's not a scientific number but I'd love to have the time to compile a list that includes both 500+ and fewer incidents (not on the Hall of Shame). 
User Rank: Apprentice
12/12/2014 | 11:46:13 AM
Re: Ramp up the health care data security program
I have been in a number of hospitals that do not secure their data for the simple reason that the "doctors do not want a difficult process".  Therefore, management refuses simple items such as complex passwords, remove or isolate aging operating systems, etc...  Until management allows security professionals to correct even the most fundamental tenants of security, the security posture will remain the same.
User Rank: Apprentice
12/10/2014 | 3:29:51 PM
Too much information
A good article, but are healthcare providers collecting too much personal information?

I visited  my dentist yesterday for a toothcleaning - I have been a patient for >4 years - yesterday I was presented with a new set of forms - they needed insurance card, driving license, social security number, address, date of birth.  The patient records are on display in open filing racks, I don't know who has access to their computers or where the backups are kept or if they shred their old paperwork, but it looked like identity theft waiting to happen.

When did an insurance card or credit card become insufficient for a $80 cleaning?
User Rank: Strategist
12/10/2014 | 10:06:18 AM
Ramp up the health care data security program
Great article Alison.
The timing of this article could not be better...
Yesterday, DHHS issued a $150K sanction against a health care provider for poor security practices, specifically bad patching practices and using outdated/unsupported software.

Google search: Anchorage Community Mental Health Services and DHHS and sanction
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll