Comments
Healthcare IT Security Worse Than Retail, Study Says
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:46:57 AM
Re: Why ever store credit card numbers?
You're so right. Many people like the convenience of storing their data, including credit card numbers. And I've seen studies that show the majority of people don't even use a simple four-digit password on their smartphones, leaving them wide open to theft.
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
5/30/2014 | 4:05:20 AM
the unintentional insider threat
Healthcare organizations can help themselves by ensuring better employee education and the right security tools are in place that control and monitor users access to resources on a network. This is for employees own benefit and for that of the organisation they work for.

Why? Because most security problems in most organisations - including healthcare - appear not to be down to malicious attacks, but careless employee behaviour and misunderstandings on what actions are considered to be a security risk. Network Security relies heavily on a user's login credentials - identity is the most important security control for access to organizations resources. 

This goes down to simple limitations, such as preventing two logins on a single user ID taking place at the same time and enforcing access restrictions by location & time. By doing so organizations can help reduce the risk of shared passwords, stop attacks from stolen credentials and ensure all access is attributed to an individual employee. 

 

 

 

 
moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
5/29/2014 | 7:12:09 AM
Re: healthcare security
Not disagreeing, but keep in mind that health care providers are experts in, well, health care. They are not IT experts and with the slim margins in that industry they cannot afford to hire even more staff. Administration is already the main driver of health care cost, care itself isn't that expensive.

I see the responsibility here at the system vendors. It is common practice to push the responsibilityfor data security to the customers, but it really is a disservice to everyone.
moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
5/29/2014 | 7:07:54 AM
Re: Why ever store credit card numbers?
Also many sites do not want the mandate of having a smartphone to log in. I do not own a smartphone, so SMS based two factor authentication would mean that I could not use these services.

The reason I do not have a smartphone is simply cost. Not cost of the device, but cost of the plan. I don't have the 40$ or more per month to spare for something I really do not need. I am either at home or at work and the time between I am off the grid.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Moderator
5/28/2014 | 11:12:30 AM
Re: Why ever store credit card numbers?
@Alison, Perhaps my understanding is flawed, but I thought the stolen CC info from B&M stores was stolen in line, not from a digital storage medium. Either from the POS device or from intercepting batches.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Moderator
5/28/2014 | 11:09:02 AM
Re: Why ever store credit card numbers?

Convenience. The same reason most websites still use passwords instead of multifactor authentication. Consumers are more likely to make impulse buys if their CC info is already stored. Consumers are more likely to make use of a website, forum, or other digital archive if they can just click login and not have to go looking for a text message or authenticator. The goal for 99% (fictional statistic) of the internet using populace is as much security as does not require any personal responsibility or effort from them for being secure.

In my experience most websites that store your CC info also give you the option to not. Most websites that allow multifactor authentication also give you the option to not. I'd be personally shocked, based on the security habits of my friends and family, if even 1% of users make use of those options.

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:11:09 AM
Re: healthcare security
An interesting side point: The company really expected Utilities to perform worse than other verticals. As you can see from the chart (and from the full report, if you access it), that was far from true! Good news for our grid. Bad news for retail and healthcare.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:09:49 AM
Re: Why ever store credit card numbers?
I've wondered the same thing, @Anon. They do want to store all the related information: our names, addresses, and any other data they can collect (such as age, gender, amount spent, what we bought, time of day, etc.), which they use for a variety of reasons such as marketing, inventory, and so forth. You'd think, though, they could extract and delete the CC data from the information they 'need,' wouldn't you? On e-commerce sites, users typically have the option of saving or not saving their CC data, often by creating a reusable account or shopping as a guest. Why don't we have that same option as a customer of a brick and mortar store?

Of course, when it comes to healthcare, organizations need to keep all that information as part of their effort to improve care, reduce or eliminate errors (such as prescriptions, allergies, etc.), and streamline care across sites. Finally, providers are not allowed to request SSNs -- although I've found many still include that information on their forms (I just leave it blank since I figure it's for collection agency use as much as anything). Since healthcare orgs must have all this information (although there's no reason for them to store CC data, either), it's imperative for them to safeguard our data.
ANON1243418786338
50%
50%
ANON1243418786338,
User Rank: Apprentice
5/28/2014 | 10:03:59 AM
Why ever store credit card numbers?
When I hear about credit card information being at risk at retailers, etc, I wonder why retailers ever store credit card numbers. Once they have an approval from the credit card company they no longer need the card number.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 9:08:09 AM
Re: healthcare security
Personally I find it absolutely terrifying. There are, however, a few glimmers of hope here.
  • One, as Stephen stressed throughout the conversation, this is an average and some healthcare providers are better than others. Several (including some I've interviewed for InformationWeek) integrate security into everything they do. 
  • Patients are getting more access into their records, giving us the opportunity (if not responsibility) to review them for accuracy. Of course, we've seen this work with varying results in the financial sector; it's challenging to get your credit report fixed sometimes. I cannot imagine how easy it will be to get your EHR amended if it's wrong due to an inaccuracy for your treatment or due to hacking/misuse of your data by another.
  • These increased penalties should make all healthcare providers, large and small, more aware and concerned about breaches and security. However, you can beat companies over the head with examples like Target, eBay, Michael's, TJMaxx, and more and they still make simply fixable errors, so I don't know how much weight this argument carries until an organization itself gets hit. Then everyone within THAT organization definitely cares. But does their competitor? I don't know.
<<   <   Page 2 / 3   >   >>


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.