Healthcare IT Security Worse Than Retail, Study Says - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Healthcare IT Security Worse Than Retail, Study Says
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Ariella
50%
50%
Ariella,
User Rank: Author
5/28/2014 | 8:43:27 AM
healthcare security
Not very reassuring. It's a problem that really needs to be addressed.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 9:08:09 AM
Re: healthcare security
Personally I find it absolutely terrifying. There are, however, a few glimmers of hope here.
  • One, as Stephen stressed throughout the conversation, this is an average and some healthcare providers are better than others. Several (including some I've interviewed for InformationWeek) integrate security into everything they do. 
  • Patients are getting more access into their records, giving us the opportunity (if not responsibility) to review them for accuracy. Of course, we've seen this work with varying results in the financial sector; it's challenging to get your credit report fixed sometimes. I cannot imagine how easy it will be to get your EHR amended if it's wrong due to an inaccuracy for your treatment or due to hacking/misuse of your data by another.
  • These increased penalties should make all healthcare providers, large and small, more aware and concerned about breaches and security. However, you can beat companies over the head with examples like Target, eBay, Michael's, TJMaxx, and more and they still make simply fixable errors, so I don't know how much weight this argument carries until an organization itself gets hit. Then everyone within THAT organization definitely cares. But does their competitor? I don't know.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:09:49 AM
Re: Why ever store credit card numbers?
I've wondered the same thing, @Anon. They do want to store all the related information: our names, addresses, and any other data they can collect (such as age, gender, amount spent, what we bought, time of day, etc.), which they use for a variety of reasons such as marketing, inventory, and so forth. You'd think, though, they could extract and delete the CC data from the information they 'need,' wouldn't you? On e-commerce sites, users typically have the option of saving or not saving their CC data, often by creating a reusable account or shopping as a guest. Why don't we have that same option as a customer of a brick and mortar store?

Of course, when it comes to healthcare, organizations need to keep all that information as part of their effort to improve care, reduce or eliminate errors (such as prescriptions, allergies, etc.), and streamline care across sites. Finally, providers are not allowed to request SSNs -- although I've found many still include that information on their forms (I just leave it blank since I figure it's for collection agency use as much as anything). Since healthcare orgs must have all this information (although there's no reason for them to store CC data, either), it's imperative for them to safeguard our data.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:11:09 AM
Re: healthcare security
An interesting side point: The company really expected Utilities to perform worse than other verticals. As you can see from the chart (and from the full report, if you access it), that was far from true! Good news for our grid. Bad news for retail and healthcare.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:46:57 AM
Re: Why ever store credit card numbers?
You're so right. Many people like the convenience of storing their data, including credit card numbers. And I've seen studies that show the majority of people don't even use a simple four-digit password on their smartphones, leaving them wide open to theft.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:49:37 AM
Re: healthcare security
I agree with you that security is NOT what healthcare providers typically are good at. It's one reason I, personally, think many should seriously consider cloud as an option. Now, that doesn't mean rushing out and choosing any old cloud provider. It requires due diligence, a strong SLA, a deep dive into a cloud service provider's security (physical and cyber), as well as a long look at the company's financial resources. But partnering with a firm that solely provides data services and security can make a lot of sense for healthcare organizations, especially those without the resources to hire the right number and type of internal staff and buy adequate tech of their own.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:54:24 AM
Re: the unintentional insider threat
You are SO right, @Chris. Whenever I see reports or press releases on healthcare breaches or take a spin through HHS' Wall of Shame, I am (unsurprised but) stunned at the high percentage of breaches due to employee negligence, such as losing an unencrypted laptop. I don't know if it's laziness, lack of education, overly complex procedures that spawn workarounds, or a combination of factors that lead to these commonplace lapses but it's very disheartening. I think IT and security pros can help their organizations improve security by showing the direct result of lapses: Huge penalties and loss of public trust (and patients?) once these occur. Plus design security solutions that are as user-friendly as possible, while still safeguarding data. Tough but feasible.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:01:51 AM
Re: healthcare security
How can vendors make their systems more secure, @moarsauce123? Do you think they should automatically encrypt all data, for example? Do you know of any vendors who are doing a better job than others?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:05:02 AM
Re: Why ever store credit card numbers?
@Jon, I believe you're correct about those stolen CC numbers. This report didn't get into how healthcare data is being stolen. Information from HHS seems to indicate most is taken due to lack of encryption when hardware -- laptops, smartphones, etc. -- get stolen or lost. But this report suggests healthcare organizations WILL be attacked in a much more organized fashion. And if/when that happens, the general lack of preparedness will lead to a huge loss of personal health information, much bigger than anything we have yet seen from the world of retail.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:07:34 AM
Watch Out, Finance?
Do you think healthcare organizations will become more likely to try and recruit security professionals from finance? Or is healthcare too specialized, their budgets too tight (compared with finance) for this approach to work?
Page 1 / 2   >   >>


2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll