Experts Comments on New Ponemon Healthcare Security Findings

The 6th annual “Ponemon Institute Benchmark Study on Privacy & Security of Healthcare Data” reflects the sector’s escalating security issues as a primary target for malicious actors.  The study finds that 89% of healthcare institutions and organizations surveyed had a data breach in the past two years, with 79% reporting two or more in 24 months, and nearly half (45%) reporting more than five. Also, a full  60% of 3rd party business associates have also been breached in the last two years.  In addition to the potential impacts on privacy and even (in the case of ransomware attacked) quality of care, the financial impact of breaches is major: an estimated $6.2 Billion this last year.

Brad Bussie,  Director of Product Management, STEALTHbits Technologies:

“The core issue that seems to be facing healthcare is the shift in the value of information. Banks went through a very similar issues years ago where the security measures they had implemented were insufficient for the emerging internet. The target for attackers was money. They knew where the cash was and they were going after it. As banks matured and funneled more funding into security, it became harder for bad actors to get paid. Now look at healthcare. They don’t necessarily have cash sitting around for someone to steal but they do have something equally as valuable in this day and age; patient information. Patient information is the path to money. It takes more effort to steal and effectively use identity information but look at the fire sales going on in the dark web. This stuff has value and is being used for financial gain. Healthcare is vulnerable because of the finger pointing and infighting on who should handle security. Until patient information has the same monetary recognition as a handful of cash, we are all in for a long road of identity monitoring.”

“A good tactic that healthcare and third party business associates could adopt is in-sourcing security professionals. Cyber Security is advancing exponentially and organizations can capitalize on this explosive growth. There are firms that specialize in securing healthcare and third business associates with models that cater to capital expenditures or operating expenditures. The excuse that there is lack of budget, people, or expertise to manage data breaches is no longer valid. Security by obscurity is to blame and unfortunately for healthcare, the spotlight has been turned directly towards where they have been hiding.”

Adam Laub, Sr. Vice President, Product Marketing, STEALTHbits Technologies:

“The findings of the Ponemon study are consistent with what most would have guessed about the state of security in the healthcare industry.  It’s also not surprising that BA’s and healthcare organizations are pointing fingers at each other either; and they’re both right.  However, a recent survey conducted by the Nasdaq and Tanium found that over 90% of corporate executives admitted to not being able to read or understand a cyber security report, and 40% felt no personal responsibility for cyber security or securing customer data.  So, if you want to point a finger, point it up.  Until corporate executives in the healthcare industry feel the same level of pressure concerning the security of their corporate networks and are measured as such, like they are from a financial perspective, this problem with persist.”

Craig Kensek, security expert, Lastline:

“Security is going to take a coordinated effort between health care organizations and every doctor who sends/receives patient records is a potential source of data loss, either where data is stored, or while it’s transit. In effect, this study is another potential call for off-network backups and the encryption of critical data.  In some respects, health data/patient records is more valuable than financial data to consumers as well as bad actors. You can always open new accounts, change institutions, and do a variety of things – short of changing your social security number. Your health records are “forever” and can now be used for a variety of fraud purposes, which is why the cost of a stolen health record on the dark web is greater than that for a financial record.

“For both financial institutions and health organizations, this is a call for cooperation in best practices against the bad guys. Institutions need to cooperate – the reliability of their security should not be a marketing tool for competing against each other. 

“Institutions must invest in penetrating testing before they are breached, rather than wait until after. It’s time to end the ‘closing the door after the horse is gone’ mindset. Penetration testing is much less expensive to invest in than breach remediation, as are security detection and prevention, and avoid the impacts on actual losses, brand losses, loss of consumer confidence, etc.  Rigorous employee training is essential, such as random “attacks” initiated by the institutions themselves.

“BYOD continues to be a weakness. Institutions must enforce policies and ensure that employees adhere to them, regarding the employee’s own devices. Make sure there are ‘phone home’ capabilities and if the device is lost, the institution should be allowed to make it into a brick, rendering the device useless.”