Vormetric, a Thales company, and a leader in enterprise data protection for physical, virtual, Big Data, and cloud environments, recently announced the results of the Healthcare Edition of the 2016 Vormetric Data Threat Report. The report is issued in conjunction with analyst firm 451 Research, reporting responses from 1,100 senior IT security executives at large enterprises worldwide, including over 100 in US health care organizations. This edition of the fourth annual report extends earlier findings of the global report, focusing on responses from IT security leaders in health care, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances. Key findings include the following:
Health care data have become a prime target for cybercriminals. With records selling for hundreds of dollars, it's no wonder health care professionals feel they are in a cybercriminal's crosshairs. When asked about concerns with external threat actors, 72% chose cybercriminals as a top three selection, with 39% chosing them as the number one selection.
Compliance Continues to Drive Health Care Organizations but Is Not Enough
With adherence to a myriad of federal and industry regulations as well as compliance standards creating a minimum requirement for doing business, it's no surprise that IT security professionals in the health care field are focused on meeting compliance requirements including HIPAA-HITECH, EPCS, PCI DSS, and FDA CFR Title 21. With this in mind, the top three reasons to secure sensitive data were compliance (61%), reputation and brand (49%), and implementing security best practices (46%).
The problem? Sixty-nine percent of US health care respondents view meeting compliance requirements as a 'very' or 'extremely' effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today's multiphase attacks.
"Compliance is only a step towards health care IT security," says Garrett Bekker, senior analyst of information security at 451 Research and author of the report. "As we learned from data theft incidents at health care organizations that were reportedly HIPAA compliant, being compliant doesn't necessarily mean you won't be breached and have your sensitive data stolen."
Times Have Changed; Security Strategies, Not So Much
"IT security professionals are spending heavily on what has worked for them in the past," Bekker says. "They are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached."
What's Keeping Health Care Professionals From Implementing Data Security?
A perception of complexity was identified as the number one barrier to adopting data security widely, selected by 54% of health care respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.
Complex deployments also typically require significant staffing, and 'lack of staff to manage' came in as the second highest barrier at 38%, followed by lack of organizational buy in at 33% and lack of budget at 30%.
IoT, Cloud and Big Data Challenge HIT Security Practices
• IoT: With more work being done on mobile devices by medical professionals, and more connected wearables for general health and outpatient use, this is becoming a prime area of concern for the future of health care. Data needs protecting on the device, in transit as well as within backend repositories and analysis sites. Thirty-eight percent of health care organizations are planning to store sensitive data in IoT environments. Their number one concern is privacy violations related to IoT data (37%) and protection of IoT data (36%).
• Cloud: Health care providers have many concerns with cloud usage but are storing sensitive data at breakneck speed. Top concerns included privileged user abuse at the cloud provider level (74%), meeting compliance requirements (72%), and security breaches at the cloud provider level (69%).
Even so, 48% will use software as a service environments, 52% infrastructure as a service , and 52% platform as a service resources within the next 12 months.
Encrypting data and maintaining local control over keys was the number one factor that would increase health care respondents' willingness to use public cloud, at 48% of responses.
• Big Data: 51% of respondents were planning to store sensitive data within these environments, but few were worried. In spite of this high level of use with sensitive data, only 15% regard Big Data implementations as presenting a top three risk for loss of sensitive information.
Getting Some Things Right
A number of positive results indicate that health care organizations are taking steps in the right direction to recognize and deal with the problem.
"With the boom in black market sales of health care data, the potential for financial harm to patients' privacy and security from inadequately protected data is growing fast," says Tina Stewart, vice president of marketing for Vormetric. "Yet compliance requirements that can't completely safeguard data continue to be the driver for health care industry IT security practices. For health care organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start."