Healthcare Sector, Heal Thyself

Ponemon Institute's 6th Study on Healthcare Privacy and Security Underscores Security Problems

Expert corner submission by:
Adam Laub, STEALTHbits Technologies
Brad Bussie, STEALTHbits Technologies
Craig Kensek, Lastline

The 6th annual Ponemon Institute Benchmark Study on Privacy & Security of Healthcare Data has just been published, and the findings on the state of the sector’s cyber security reflect the recent stream of breaches and ransomware news. A full 89% of healthcare institutions and organizations surveyed and 60% of 3rd party business associates had a data breach in the past two years, with 79% reporting two or more in 24 months, and nearly half (45%) reporting more than five.

The report notes that because the majority of breaches are small (under 500 records) and so are unreported to the U.S. Department of Health and Human Services (HHS) and the media, the collective financial impact of breaches has grown to an estimated $6.2 Billion.

It’s unsurprising that those interviewed believe healthcare organizations to be more vulnerable to data breaches than other industries – institutions have massive amounts of valuable (time-critical, life-critical) data. The sector has focused on compliance, but has not deeply invested in security-centric infrastructure.

“The core issue that seems to be facing healthcare is the enormous shift in the value of information,” says Brad Bussie, STEALTHbits Technologies Director of Product Management, who notes that banks went through similar issues years ago as they became prime targets for online fraud and theft. “As banks matured and funneled more funding into security, it became harder for bad actors to get paid. Now look at healthcare. They don’t necessarily have cash sitting around for someone to steal, but patient information is the path to money. On the dark web it has major value.” In addition to the relatively low security posture healthcare institutions have taken up until recently, Bussie points out that the Ponemon findings underscore another key issue “Healthcare is vulnerable because of the finger pointing and infighting on who should handle security. Until patient information has the same monetary recognition as a handful of cash, we are all in for a long road of identity monitoring.”

The Blame Game: A Losing Strategy

As expected, healthcare executives and their business partners blame one another, according to the report. Institutions say their partners aren't doing enough to secure critical data, while those business associates respond that healthcare organizations themselves aren't investing in either their technology or their employee security policies and education.

"The findings of the Ponemon study are consistent with what most would have guessed about the state of security in the healthcare industry,” notes STEALTHbits Adam Laub, Senior Vice President of Product Marketing. “It’s also not surprising that BA’s and healthcare organizations are pointing fingers at each other either; and they’re both right. However, a recent survey conducted by the Nasdaq and Tanium found that over 90% of corporate executives admitted to not being able to read or understand a cyber security report, and 40% felt no personal responsibility for cyber security or securing customer data. So, if you want to point a finger, point it up.”

“Until senior healthcare executives feel the same level of performance pressure concerning the security of their corporate networks - and are measured against it – that they feel about their institution’s financial results, these problems will persist."

Craig Kensek, security expert with Lastline summarizes that the Ponemon report is: “a call for cooperation in best practices against the bad guys. Institutions need to cooperate - the reliability of their security should not be a marketing tool for competing against each other. It's time to end the 'closing the door after the horse is gone' mindset.”

At a minimum, Kensek recommends basics such as penetration testing, policies and solutions to better manage BYOD, and sharply improved security detection and prevention measures to avoid the impacts on actual losses, reputation and public confidence that follow a breach.