Photo of a healthcare professional using a laptop computer

Healthcare Institutions Need to Treat Security Weaknesses

24 Sep 2015 by Bob Violino

Some industries seem to be natural targets for hacker attacks and other security threats, and healthcare is one of them. That makes the challenge of safeguarding digital resources even more daunting for IT and security executives in hospitals, clinics and other healthcare institutions.

Companies in the healthcare sector have to be concerned about financial and data losses due to breaches. They also have to be in compliance with regulations that mandate the protection of electronic health records and other patient information.

This is clearly a high-target market. Research firm Gartner Inc. estimates that about 40 million healthcare records have been breached to date. And it appears the industry has much work to do when it comes to bolstering cybersecurity.

The hack heard around the healthcare world

Following the major hacker attack at health insurance provider Anthem early in 2015, Avivah Litan, cybersecurity analyst at Gartner, told the Associated Press, "The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information."

That assault against Anthem, one of the largest health insurance providers in the United States, was disclosed by the company in February 2015, when it revealed that hackers had gained access to the personal information of millions of its employees and members.

The breach was reported to be among the biggest ever at an insurance company, and it affected all of the company’s product lines. Indeed, according to a post on Anthem’s website, the attack affected Blue Cross and Blue Shield plans that aren’t even owned by Anthem. Because so many Americans rely on Anthem for its services, the attack drew lots of attention and scrutiny.

Insider threats to electronic health information

Healthcare-related companies are vulnerable to security breaches for a number of reasons. For one thing, they deal with a lot of personal information that can potentially be used for identity theft. The advent of electronic health and medical records means that more information than ever is available in a form that can potentially be hacked.

According to the Healthcare Information and Management Systems Society (HIMSS), a global, not-for-profit organization that promotes better healthcare through IT, electronic health data breaches are a primary concern, in spite of the increased use of security technologies.

The 2013 HIMSS Security Survey found that companies need to do more to stop insider threats (for example, inappropriate employee access to data). The survey analyzed the data security experiences of 283 IT and security professionals at U.S. hospitals and physician practices, and its findings suggest that the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses, or co-workers, according to HIMSS.

Impact of BYOD

Money spent on security — or the lack of it — is another challenge. Although more than half of the survey respondents said they had increased their security budgets in the past year, about half said they were still spending 3% or less of their overall IT budget on security initiatives to secure patient data.

In addition, many healthcare organizations are increasingly using mobile technology on an everyday basis to provide better services to patients and families. A growing number of doctors, nurses and other healthcare professionals use smartphones, tablets and other devices to access and share data, and to store records. Theft or loss of those devices presents a potential security threat in terms of data exposure and access to networks. And to support the growing use of mobile technology, many healthcare organizations have expanded their wireless networks, which introduces potential security issues as well.

Verizon’s 2014 Data Breach Investigations Report, which examined security threats in various industries, reported that physical theft and the loss of mobile devices storing patient data was the most significant security threat to the healthcare industry. Indeed, it accounted for nearly half of the security incidents in the sector in 2013—easily the highest percentage for any industry.

Unique security challenges

As a regulated industry, healthcare is under especially intense scrutiny when it comes to safeguarding information. In particular, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act have strict policies about how hospitals, clinics, private practices, health insurers and other providers need to protect patient information.

The laws include rules for guarding protected health information, such as the names and addresses of patients, medical conditions, treatments and other data. Fines for non-compliance with the regulations can be high.

There are many ways in which the healthcare industry needs to improve security measures, but what huge breaches such as those at Anthem, CareFirst and Premera have taught us is that passwords alone are not enough to protect online healthcare information.

Healthcare institutions looking to strengthen their security posture first need to conduct a thorough assessment of their security technologies and policies, to find out where the real gaps are and what they need to do to plug those gaps.

Research firm Forrester has developed a maturity model, the Forrester Information Security Maturity Model (October 2014), that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. Forrester uses it in their engagements to assess IT security and risk programs, and it also provides clients with a comprehensive self-assessment tool.

The Forrester model includes a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive scale, and for reporting that maturity to a level of detail that can be adjusted for different audiences.

With a comprehensive security assessment, healthcare providers can more accurately understand where and how they need to make improvements. Armed with this knowledge, they can bolster security and take important steps toward ensuring that the data they hold is well protected.

Get in touch with Insight at 1.800.INSIGHT. Find answers to your pressing security questions and discover background information that will help you make a well-informed decision. Take the Forrester security assessment to begin treatment of your healthcare organization’s security.