Few contest the notion that healthcare IT security needs to improve. The sensitivity (and black-market value) of patient data makes the industry a frequent target of thieves, while the age and usability of technology in many facilities makes healthcare professionals seek portability of data, paper or otherwise, with occasional unintended consequences.
Several recent reports shed some light on healthcare IT security, noting where the industry faces its biggest challenges and highlighting what it can do to better prevent data breaches. Admittedly, few of the findings are surprising, though the advice certainly can't hurt.
Reported Healthcare Breaches Abundant But Small
Verizon Business' Data Breach Incident Report (DBIR), which examines data breach information from 50 global organizations, finds that 46 percent of healthcare data breaches are the result of loss or theft. Insider misuse (15 percent) and "miscellaneous errors" such as publishing errors or improper disposal (12 percent) round out the top three causes.
Across all industries, not just healthcare, loss is 15 times more likely than theft. The main challenge, the DBIR says, is mitigating the impact of lost devices. "That suggests simply having sensitive information 'behind locked doors' isn't enough; there are still a lot of people inside those locked doors," the report says, adding that, when it comes to thieves, 86 percent either disable or bypass controls to get behind those doors.
Backing up and locking down data will help, as will encouraging users to keep mobile devices on them at all times, but encryption represents the easiest way to thwart this challenge. In fact, the DBIR says, "Encryption is as close to a no-brainer solution as it gets for this incident pattern." It's easier said than done, though, since healthcare notoriously resists encryption.
Kevin Haley, director of Symantec Security Response - which recently issued its own 2014 Internet Security Threat Report - says healthcare may eschew device encryption due to concerns about viability, deployment, the need to update desktop software and the cost. On top of that, he says, measuring return on investment is difficult.
Symantec's report found that, of all reported breaches, 37 percent came from healthcare. Haley cautions against reading too much into that, though. HIPAA regulations require healthcare to report every breach involving more than 500 individuals, whereas "many industries are less forthcoming when a breach occurs," according to the Symantec report. "For instance, if a company has trade secrets compromised, which doesn't necessarily impact clients or customers directly, they may not be quite as forthcoming with the information."
In addition, while healthcare was responsible for 37 percent of all reported breaches, these incidents constituted only 1 percent of all identities exposed in 2013, which Symantec calls "The Year of the Mega-Breach" thanks to Target and others. "Clearly [healthcare is] experiencing a lot of breaches, but they are generally small in nature," Haley says.
Sign up for Computerworld eNewsletters.