IoT
IoT
Healthcare // Security & Privacy
News
12/10/2014
08:36 AM
Alison Diana
Alison Diana
Slideshows
50%
50%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Healthcare Security In 2015: 9 Hotspots

With data breaches growing, 2015 promises to be the healthcare industry's most challenging security year yet. These nine areas demand attention in 2015.
Previous
1 of 11
Next

Healthcare organizations must tighten security or risk getting breached, penalized, and potentially ostracized by a public fed up with seeming carelessness with their personal information. Unfortunately, the task of securing protected health information (PHI) is only becoming more challenging for even the best-prepared organizations. Fitness bands, hospital portals, electronic health records, health information exchanges, insurance networks -- the list of Internet-connected devices, tools, and sites containing personal and medical data keeps growing.

The healthcare sector has been under attack for some time. In 2014, despite headlines dominated by JPMorgan Chase, Home Depot, and other retail or financial entities, the healthcare industry accounted for 43% of all major breaches, according to the Ponemon Institute.

Even attacks on companies that don't operate within the medical field can have healthcare-related consequences. When Sony Pictures Entertainment was hacked in November, cyberthieves apparently stole more than movies. They reportedly also took more than 25 gigabytes of data on tens of thousands of Sony employees, including medical and salary information, Social Security numbers, and addresses, according to Krebs On Security.

Within healthcare organizations, a whopping 93% of information held requires protection, according to EMC's The Digital Universe report. The data includes claims requests, PHI, and medical records. Yet only 57% of this information is "somewhat protected," while 43% is inadequately safeguarded, the report found. But IT professionals must balance security needs against healthcare professionals' need for fast access to data and applications; extra clicks can make a difference in a patient's life, after all.

"With the continuation of high-profile hacks, IT security, specifically distributed or mobile security, will be a renewed priority for many organizations," David Appelbaum, senior vice president of marketing at Moka5, told InformationWeek. "No one wants to be the next headline, and as the stakes go increasingly higher, the need for enhanced security that does not inhibit end-user productivity is becoming increasingly more of a requirement."

Healthcare organizations have been warned about the consequences of an insecure environment, and the cacophony of cautions grew following the Community Health System breach in August. Still, a frightening number of healthcare providers continue to ignore the alarms from a federal alphabet soup of agencies, including the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Food and Drug Administration (FDA). Consider:

  • More than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week, according to Forrester Research.
  • Sixty-eight percent of the industry's breaches since 2010 have occurred because files or devices were stolen, the Bitglass 2014 Healthcare Breach Report determined.
  • Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, Websense Security Labs' Carl Leonard told TechNewsWorld.

Attackers also are becoming more sophisticated, experts warn. Cybercriminals are seeking more information than ever about their victims to sell, Websense researchers cautioned. "These fuller, richer, personal identity dossiers of individual users, consisting of multiple credit cards, regional and geographic data, personal information and behavior, will be increasingly traded in the same manner that stolen credit cards are today."

Because this information often resides within health systems' databases or networks, hospitals are natural targets and require extraordinary defenses.

With so much cyberdanger to battle, it seems obvious the healthcare industry will face additional crises in 2015. None of the underlying security issues are new, but all are crucial to address. Click through our slideshow to see the nine security hotspots we predict for healthcare in 2015.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/15/2014 | 11:34:22 AM
Re: Ramp up the health care data security program
I wish i could take credit for some incredible foresight, @aws0513 -- but I think ANY time would be right to compile an outlook piece about healthcare security, I'm afraid. While we don't always hear about them on the national press, search online for healthcare breaches and you'll find a guesstimated one a week. That's not a scientific number but I'd love to have the time to compile a list that includes both 500+ and fewer incidents (not on the Hall of Shame). 
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
12/12/2014 | 11:46:13 AM
Re: Ramp up the health care data security program
I have been in a number of hospitals that do not secure their data for the simple reason that the "doctors do not want a difficult process".  Therefore, management refuses simple items such as complex passwords, remove or isolate aging operating systems, etc...  Until management allows security professionals to correct even the most fundamental tenants of security, the security posture will remain the same.
sholden334
50%
50%
sholden334,
User Rank: Apprentice
12/10/2014 | 3:29:51 PM
Too much information
A good article, but are healthcare providers collecting too much personal information?

I visited  my dentist yesterday for a toothcleaning - I have been a patient for >4 years - yesterday I was presented with a new set of forms - they needed insurance card, driving license, social security number, address, date of birth.  The patient records are on display in open filing racks, I don't know who has access to their computers or where the backups are kept or if they shred their old paperwork, but it looked like identity theft waiting to happen.

When did an insurance card or credit card become insufficient for a $80 cleaning?
aws0513
50%
50%
aws0513,
User Rank: Strategist
12/10/2014 | 10:06:18 AM
Ramp up the health care data security program
Great article Alison.
The timing of this article could not be better...
Yesterday, DHHS issued a $150K sanction against a health care provider for poor security practices, specifically bad patching practices and using outdated/unsupported software.

Google search: Anchorage Community Mental Health Services and DHHS and sanction
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.