Executive summary

Michela Menting

Digital Security Research Director
ABI Research

The healthcare industry is an increasingly valuable target for cyber attacks. Healthcare organisations and providers are routinely subject to sophisticated threat campaigns leveraging complex malware, large DDoS, data theft, network breaches, account hijacking, unauthorised access, and malicious insiders. In addition to overtly hostile actions, other threats loom large for the healthcare sector, notably inadvertent mistakes, vulnerable hardware and insecure APIs, all of which contribute to the massive loss of data suffered in the past few years by numerous providers.

In addition to these attacks, there is the growing issue of vulnerable connected peripherals, sensors, and other medical devices progressively being used within the industry to track and monitor patients, whether on site or remotely. The healthcare Internet of Things (IoT) is an emerging reality, and many of these newly connected devices will be subject to the same inherent vulnerabilities and risks associated with the broader IoT, such as replay or side-channel attacks against RFID and NFC or the difficulty in applying crypto frameworks to power-constrained devices with limited computational abilities.

Security is a vital component for next-generation health IT if the potential for leveraging the IoT and big data are to be realised at all and for the continued protection of personal health information and other medical data beyond the database. Integrating health systems with large amounts of genomic, social, clinical, financial, social, and environmental data will enable real-time analytics and indubitably lead to improved patient healthcare in the long term. Security and privacy regulations regarding the processing, storage, and transmission of patient data — such as HIPAA, HITECH, EU directives, breach notification requirements, as well as associated penalties for non-compliance — can serve as a first critical element to ensure security is taken more seriously.

Derek Brink

Vice President and Research Fellow
Aberdeen Group

Adjunct Faculty
Brandeis University and Harvard University

“The wonderful thing about standards is that there are so many of them to choose from.” — Rear Admiral Grace Murray Hopper, pioneering computer scientist

The transformation that IT has made on contemporary society — from the time that Grace Hopper was programming the first modern computer (IBM’s Mark I, at Harvard University) in the mid-1940s, to the present day — simply boggles the mind. And this transformation has continued and accelerated, with the recent waves of disruptive information technologies such as mobility, social collaboration, virtualisation and cloud computing, big data, and predictive analytics, to name a few.

Information security has tried to keep pace with IT, with the result being a rich and complex array of security technologies that solution providers have already made available, and which continue to be introduced. On the one hand, the result of such innovation and investment is a testament to the importance of the information security problem. On the other hand, having such an overabundance of options can make it painfully difficult for the security team in any given organisation to sort through all of the alternatives, and to make the necessary choices for the mix of controls that represents the best fit for their specific context.

Add to this the complexity of compliance, where security and privacy requirements from multiple regulatory authorities have to be understood, interpreted, and applied by every organisation, in the specific context of their systems, their applications and data, their users, their industry, their mission, their strategy, and their appetite for risk. With a nod to Admiral Hopper, the wonderful thing about security-related compliance requirements is that there are so many of them to choose from.

Out of these multiple layers of complexity — which some in the information security industry have referred to as “the fog of more,” and which has also been written about as “the paradox of choice” — there has recently been a strong movement towards simplification. One example is the so-called Critical Security Controls movement, which aims to use the power of community to identify a small number of security controls that are proven to have a high payoff in terms of preventing known attacks. Another excellent example is this guide, which aims to describe a set of basic security practices for healthcare organisations that will not only help to safeguard sensitive patient data, but also to satisfy an array of overlapping compliance requirements from the United States (the Health Insurance Portability and Accountability Act, or HIPAA) and the United Kingdom (the Data Protection Act).

My own view is that such lists are not a recipe to be blindly and strictly followed, but rather a needed, welcome, and much quicker path to considering the successful choices that others have made — which organisations can then adapt in the way that works best for their own environment.

David Childers

Fellow
Open Compliance & Ethics Group (OCEG)

Healthcare organisations are now the number one target for hackers and state sponsored cyber-thieves. Of all the major breaches in 2014, 42% of these events occurred in a health-related organisation. Data protection experts agree that the number of breaches in healthcare is going to increase.

The reason for this increase is simple. The value of a healthcare record is seven to ten times greater than a credit card record. Protected health information (PHI) has a longer “shelf life” than traditional financial data, and it can provide a unique view to a population for foreign governments.

With the requirement to transform medical records to an electronic form, IT professionals are fighting to secure records, cloud storage, appropriate access and confidentiality — all within an environment where immediate access to data is literally life and death. But 70% of the data losses are caused by human error. Both Ponemon and Experian in their latest reports regarding data breach and protection challenged healthcare organisations to “step up” their security posture. Not only did these studies cite the increase in breach event activity but noted the likely rise in legal and regulatory scrutiny that will come in 2016.

Protective efforts must extend beyond the IT departments and focus on the creation of the “human firewall.” Everyone within the organisation needs to understand their responsibility for protecting PHI. But to do that they need to first understand the risks, know the right way to access, transfer and store data and to be vigilant to social engineering like, pretexting, blagging and phishing. This report comprehensively reviews the steps and requirements organisations need to take to improve their data security posture. It can serve as a place to start or a way to review your current data protection and data privacy programs.

Fran Howarth

Senior Analyst
Bloor Research

Security breaches in healthcare can be particularly serious owing to the nature of the information and the impact that a breach can have on the individuals concerned. In 2014, 42.5% of the breaches identified by the Identity Theft Resource Center occurred in the medical/healthcare sector. This report contains important information regarding security practices in the healthcare sector, showing the current status of how organisations are looking to secure their networks and sensitive data. As such, it sheds light on best practices, providing a checklist that organisations would be well advised to follow.