Continued focus on compliance ahead of data breach prevention (at least in the US).2016 Vormetric Data Threat Report – Healthcare Edition
Vormetric recently (April 2016) announced the results of the Healthcare Edition of the 2016 Vormetric Data Threat Report (DTR). The report is issued in conjunction with analyst firm 451 Research, reporting responses from 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. healthcare organizations. This edition of the fourth annual report extends earlier findings of the global report, focusing on responses from IT security leaders in healthcare, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances. Key findings:
- 96 percent feel vulnerable to data threats
- 63 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year
- At 61 percent, meeting compliance requirements was the top IT security spending priority, with preventing data breaches well behind at 40 percent
- Complexity at 54 percent, and lack of staff at 38 percent, are identified as top barriers to adoption of better data security
- Bright spots include 60 percent increasing spending to offset threats to data and 46 percent increasing spending on data-at-rest defenses this year
Healthcare data has become a prime target for cybercriminals. With records selling for hundreds of dollars it’s no wonder healthcare professionals feel they are in a cybercriminal’s crosshairs. When asked about concerns with external threat actors, 72 percent chose cybercriminals as a top three selection, 39 percent as the number one selection.
Compliance continues to drive healthcare organizations – But compliance is not enough
With adherence to a myriad of federal and industry regulations as well as compliance standards creating a minimum requirement for doing business, it’s no surprise that IT security professionals in the healthcare field are focused on meeting compliance requirements including; HIPAA-HITECH, EPCS, PCI DSS and FDA CFR Title 21. With this in mind, the top three reasons to secure sensitive data were:
- Compliance (61 percent)
- Reputation and brand (49 percent)
- Implementing security best practices (46 percent)
The problem? 69 percent of U.S. healthcare respondents view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today’s multi-phase attacks.
“Compliance is only a step towards Healthcare IT security,” said Garrett Bekker, senior analyst, information security, at 451 Research and the author of the report. “As we learned from data theft incidents at healthcare organizations that were reportedly HIPAA compliant, being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
Times have changed – security strategies, not so much
“IT security professionals are spending heavily on what has worked for them in the past,” said Bekker. “They are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached.”
- 79 percent rated network defenses as ’very’ or ‘extremely effective’ at protecting data, and 64 percent rated endpoint and mobile defenses
- The top category for increased spending over the next 12 months among healthcare respondents? Network defenses at 49 percent
What’s keeping healthcare professionals from implementing data security?
A perception of complexity was identified as the number one barrier to adopting data security widely, selected by 54 percent of healthcare respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.
Complex deployments also typically require significant staffing, and ‘lack of staff to manage’ came in as the second highest barrier at 38 percent, followed by lack of organizational buy in at 33 percent and lack of budget at 30 percent.
IoT, Cloud and Big Data challenge healthcare IT security practices
IoT: With more work being done on mobile devices by medical professionals, and more connected wearables for general health and outpatient use, this is becoming a prime area of concern for the future of healthcare. Data needs protecting on the device, in transit as well as within backend repositories and analysis sites.
- 38 percent of healthcare organizations are planning to store sensitive data in IoT environments
- Their number one concern? Privacy violations related to IoT data (37 percent) and protection of IoT data (36 percent)
Cloud: Healthcare providers have many concerns with cloud usage, but are storing sensitive data at breakneck speed. Top concerns included
- Privileged user abuse at the cloud provider level (74 percent)
- Meeting compliance requirements (72 percent)
- And security breaches at the cloud provider level (69 percent)
Even so, 48 percent will use Software as a Service (SaaS) environments, 52 percent Infrastructure as a Service (IaaS) and 52 percent Platform as a Service (PaaS) resources within the next 12 months.
Encrypting data and maintaining local control over keys was the number one factor that would increase healthcare respondents’ willingness to use public cloud, at 48 percent of responses.
Big Data: 51 percent of respondents were planning to store sensitive data within these environments, but few were worried. In spite of this high level of use with sensitive data, only 15 percent regard big-data implementations as presenting a top three risk for loss of sensitive information.
Getting some things right
A number of positive results indicate that healthcare organizations are taking steps in the right direction to recognize and deal with the problem.
- 60 percent are increasing spending to protect sensitive data
- 46 percent, more than any other vertical, plan to invest in data-at-rest defenses this year
- 46 percent are looking to implement data security to follow industry best practices
- Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These includes cloud security gateways (39 percent), Security Event and Information Management (SIEM) systems (36 percent), tokenization (35 percent) and data access monitoring (34 percent)
“With the boom in black market sales of healthcare data, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast,” said Tina Stewart, vice president of marketing for Vormetric. “Yet compliance requirements that can’t completely safeguard data continue to be the driver for healthcare industry IT security practices. For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start.”
The research report is available from Vormetric and can be found here.