Trustwave’s new report on cybersecurity in healthcare highlights some worrying weaknesses and misconceptions, but it also points the way forward with tips for improving healthcare cybersecurity. HRMR reports.
Some 91 percent of technical respondents (predominantly CIOs, CISOs, IT managers, IT directors and IT vice presidents) believe criminals are increasingly targeting healthcare organizations, according to the 2015 Security Health Check Report released by cybercrime expert Trustwave.
However, only 10 percent or less of their IT budget goes toward cybersecurity and protecting their patients’ highly sensitive information.
“Today’s healthcare industry is under attack. From hospitals to physicians to urgent care clinics, healthcare organizations are swimming in private data and must make security a priority in order to protect it,” says Steve Kelley, senior vice president of product and corporate at Trustwave.
“Security challenges are nothing new for any business but the level of distress exponentially increases when someone’s life may actually depend on the protection of sensitive data.”
The survey of 398 full-time healthcare professionals found that 79 percent of technical respondents and 77 percent of non-technical respondents (doctors, nurses, senior executives, board members, finance professionals, and office managers) are most concerned about losing patient data, above other types of information, if their organization is breached.
It also revealed a cognitive disconnect, in that 77 percent of non-technical respondents believe criminals are increasingly targeting healthcare organizations, but an overwhelming majority (86 percent) believe their organization has not experienced a breach.
Nearly a quarter (23 percent) of technical respondents said their organization has experienced a breach, yet studies have shown the rate to be much higher.
The survey highlights significant weaknesses in many healthcare providers’ efforts to protect data. Some 35 percent of technical respondents said their company does not have enough staff and security expertise dedicated to security, and more than a third (34 percent) of technical respondents say their business performs vulnerability testing just once a year.
Half of technical respondents said 10 percent or less of their overall IT budget goes toward cybersecurity, and 27 percent reported their annual security budget has not changed in the past year. Furthermore, a quarter of non-technical respondents believe their organizations don’t have incident response plans.
Strengthen the defenses
The report goes on to make five recommendations healthcare organizations can follow to improve their strength in the face of cyber threats.
First, they need to understand the risk. “Attackers are now salivating over the copious vectors for their malicious actions,” states the report. “The expanding attack surface has only further necessitated the need to test everything across one’s databases, networks and applications.”
Trustwave warns that organizations have susceptibility everywhere and should implement a proactive service that assesses for risk and combines automated vulnerability scanning with deep-dive penetration testing.
The next key step is to prioritize and take action: the report states that the big difference between healthcare and other industries, such as finance, is that organizations in healthcare have not invested as much as they should in advanced security solutions.
“These include solutions that prevent new and targeted malware and advanced persistent threats from entering the organization, hackers from stealing legitimate user credentials, hackers from probing inside the network and data from leaving the organization’s walls,” it states.
In addition, it says healthcare firms must implement security awareness training for workers, implement two-factor authentication because of the ease by which passwords can be cracked, and upgrade their incident readiness and response capabilities.
Compliance frameworks are an essential source of guidance, it continues.
“One of the problems with the Health Insurance Portability and Accountability Act (HIPAA) is that it tends to be vague in many areas of security controls. Instead, healthcare entities should turn to the Payment Card Industry Data Security Standard (PCI DSS) as a baseline to guide HIPAA compliance efforts, because the latter is a much more prescriptive framework than the former.
“IT pros will find that being fully compliant with PCI will also cover a large majority of HIPAA requirements.”
However, the report adds, any compliance mandate, HIPAA and PCI DSS included, should be viewed as the floor, not the ceiling, of good security.
“Even with them as a blueprint, organizations that go further than the rules state typically are the ones least likely to fall victim to a major compromise.”
Finally, the report advises close scrutiny of business partners’ security.
“Security must be a key part of the procurement process with a focus on measures such as network segmentation (to limit which of your resources that third-parties can reach) and two-factor authentication (to help lock down remote access). In addition, a service-level agreement can help cover end-to-end requirements.
“Better yet, ask to see recent penetration test reports. Healthcare organizations should take their business elsewhere if the third-party can’t produce them and prove success.”
Trustwave, Steve Kelley, US