Healthcare industry seeks to reform its position as hacking target

During the first half of 2015 the healthcare industry suffered the most data breaches and had the most records stolen of any sector. 

When it comes to IT security, the healthcare industry is in critical condition.

Massive data breaches, like the ones that have befallen Anthem, Premera Blue Cross, and HealthCare.gov in the past 18 months, underscore how the industry has become a prime target for data theft. At the same time, they finally appear to have captured the attention of top executives.

Indeed, during the first half of 2015 the healthcare industry suffered the most data breaches (187 out of 888) and had the most records stolen (84.4 million out of 245.9 million) of any sector, according to the Gemalto Data Breach Index. Anthem was also on the receiving end of the largest single identity theft in terms of magnitude during that six-month period, with 78.8 million records stolen.

See also: Data Management: Not If, But When

“The healthcare industry historically has had the highest number of data breaches, and that was no different in the first half of 2015,” read one Gemalto report in part.

Christopher Paidhrin, former chief information security officer of PeaceHealth Medical Group and current information security manager for the city of Portland, Oregon, says this trend is not surprising considering the “lasting value of healthcare data, the dollar-per-byte return on attack is significantly higher than other forms of stolen data. Credit card data's life cycle value is measured in days and weeks, but personally identifiable information extracted from protected health information has value for years,” he explains.

To make matters worse, the healthcare industry is notoriously slow to identify data breaches — making it even more of a prime target for criminals.

“Delays in detection keep open the window of opportunity, allowing criminals to leverage the stolen information in multiple ways,” Paidhrin adds.

Gabe Gumbs, a former IT security officer for Pfizer for seven years and current VP of strategy at Identity Finder, agrees that healthcare data has a much longer shelf life than credit card information. He notes that the theft and misuse of stolen information “takes a long time to show up, such as in fraudulent billing and healthcare identity theft.” As a result, healthcare data typically fetches 10 to 50 times as much cash as financial data on the black market.

In fact, 81% of healthcare executives surveyed for a 2015 KPMG cybersecurity report admitted that their IT security has been compromised at least once in the past two years despite the regulatory and legal consequences of a data breach. The report also revealed that the healthcare industry as a whole is behind other industries when it comes to cyberattack readiness and security technology capabilities.

Yet, despite the noticeable uptick in the number and severity of IT data breaches within healthcare and pharma, the current level of security is low, according to Jon Wilkinson, privacy officer for IBM's Watson Health and a former IT security officer for Philips Healthcare.

“The industry needs to be cautious and aware of this increasing risk, but I'm not seeing panic yet,” he notes.

There may not be panic in the streets, but the healthcare industry is slowly evolving how it erects and manages data security. Sensing the potential loss of trust, as well as the tremendous costs that could come with the exposure of personal information, the industry is beginning to step up its defensive game.

Indeed, recent studies confirm that customers are much less likely to trust any service provider that has experienced a breach, says Paidhrin.

“Healthcare is a highly competitive industry,” he adds. “If patients have a choice of providers, they will choose the one they trust to take the best care of them, their health, and their personal information.”

HELP WANTED

Loss of reputation typically ranks among the top five enterprise risks for healthcare organizations, Paidhrin states. This is driving healthcare organizations as a whole to increase their information security budgets — which doesn't necessarily mean they're actually addressing the core problem. Some, Paidhrin cautions, are “throwing technology at the crisis, but [are] still having a difficult time recruiting the necessary talent to leverage the tech, integrate it into a diverse service environment, and demonstrate the effectiveness of the investments.”

The problem with the personnel gap in IT security in healthcare is that demand far outpaces availability of qualified people. The number of available cybersecurity positions overall grew 91% between 2010 and 2015, but the number of those jobs in the healthcare industry grew by 121%, according to the Job Market Intelligence: Cybersecurity Jobs 2015 report from Burning Glass.

See also: Brace for the Breach

In a heavily regulated industry like healthcare, IT security officers are not only expected to have data-­security chops but also a solid background in compliance — including specific experience with HIPAA, HITECH, and PCI DSS — which isn't easy to come by in an employment market where even newbie cybersecurity pros are being offered comfortable starting salaries.

Watson Health's Wilkinson nonetheless senses a silver lining to the breaches and backlog of unfilled positions: an “increased awareness that all parties in the healthcare space have a role in protecting healthcare data.” And that goes for taking a firmer hand with vendors, he adds.

“What has changed in the past couple of years is that most entities are asking what their partners are doing to protect information,” Wilkinson says.

To that end, more large healthcare organizations are giving their chief information security officer a seat at the table in vendor evaluations. Plus, they're conducting more frequent and more thorough security audits and demanding that vendors and subcontractors do the same.

“The various parties are doing more to keep each other honest,” he explains.

LIFE'S A BREACH

“Healthcare companies are realizing that they need to have a good breach-response plan in place," said Gabe Gumbs, VP of strategy at Identity Finder. Photo credit: Duane Storey/Creative Commons

Indeed, better audits and more frequent reviews of company logs are already helping organizations weed out potential acts of unauthorized access and detect breaches more quickly. The availability of better automated auditing and reviewing tools is also playing a big role.

“Automating as much of your data-security process with technology — not having technology dictate or be the tail that wags the dog — is important,” Gumbs stresses.

Wilkinson, for his part, adds that more companies and providers are testing their breach-response mechanisms by running intrusion simulations.

See also: Providers, devicemakers lag in IT defense

“Quick discovery is crucial,” he explains. “Healthcare companies are realizing that they need to have a good breach-response plan in place.”

Finally, many healthcare organizations have adopted a data-centric approach to their security practices by locating and classifying their protected healthcare data and applying security controls based on those classifications.

“This approach reduces the burden of broadly applying controls to everything and reducing the need to treat all data as equal — when, indeed, it is not — and resources remain limited,” Gumbs adds.

Paidhrin agrees that healthcare must prioritize the “shortening of time between a breach and detection because an organization can't respond to an incident it is unaware of.” Information-security teams are also increasingly adopting another best practice: employing a “business value–driven security program, a framework that is customized to the needs and capabilities, and the maturity, of their organization,” he adds.

“[This approach] focuses not on tech but on engagement because it's what people do and don't do that most exposes confidential information,” Paidhrin adds. “An engaged workforce protects confidential information better when they regard the information as their own.”