Community Health Systems. Anthem. Premera. CareFirst BlueCross BlueShield. UCLA. These are just some of the healthcare organizations that have been the victims of major breaches in the past year. From these incidents, we can infer that hackers understand the utility of patient information stolen from organizations in the healthcare sector. Attackers know that they can leverage stolen health records to commit financial fraud and medical insurance fraud, as well as hack vulnerable medical devices, like older drug infusion pumps made by Hospira. Additionally, as these organizations continue to grapple with security weaknesses in the workplace–such as outdated technology and insecure medical devices–and new advancements in technology–including the use of digital patient records–hackers will no doubt continue to target the healthcare industry as a whole for years to come.
Given these threats, it is important to examine how healthcare executives view information security and on what security challenges in particular they place the greatest emphasis.
Fortunately, KPMG has published a survey entitled Health Care and Cyber Security: Increasing Threats Require Increased Capabilities that responds to those exact observations.
A global network of firms providing tax, audit, and advisory services, KPMG collaborated with Forbes Insight to survey 223 healthcare executives about their views on security. These individuals currently work for 161 different provider organizations and 101 different health plans, all of which make more than $500 million, according to an article published by iHealthBeat.
The major findings of the survey are broken down into two main subsections: Top Threats and Discrepancies/Challenges.
Sixty-five percent of respondents named external actors the top vulnerability in data security. Third parties followed this vulnerability category at 48%, which further illustrates healthcare executives’ concern with threats that originate outside of the organization. Meanwhile, employee breaches and wireless computing tied at 35%, with inadequate firewalls coming in last at just above a quarter of respondents (27%).
As for information security concerns, malware came in first at 67%, with HIPAA violations close behind at 57%. The three major subsequent infosec concerns–internal vulnerabilities, medical device security, and aging IT hardware–all came in at less than or equal to two-fifths of the respondents. (40%, 32%, and 31%, respectively.)
“The richness of the information means that the cyber security threat to healthcare has increased,” says Michael Ebert, KPMG partner and healthcare leader at the firm’s Cyber Practice. “The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed.”
The issue of security investment is discussed in our next section: Discrepancies/Challenges.
It is important to begin this section by distinguishing the priorities of healthcare providers from those of payers. Where as the former are most concerned about financial loss (57%) and reputational loss (46%), the latter is mainly interested in regulatory enforcement issues (50%) and litigation (45%) potentially cutting into their profit margins. For these reasons, healthcare providers and payers respond to security threats differently.
On the positive side, healthcare organizations are spending more time engaging the topic of information security. For instance, more than half of providers and payers at 53% and 66%, respectively, feel that they are ready to defend against threats to their networks. Even more impressive, close to 90% of both providers and payers have made information security a boardroom topic over the past year and have subsequently increased investment in their defense capabilities.
Unfortunately, KPMG’s findings suggest that those efforts have resulted in little meaningful change for those organizations’ security readiness. Close to half (44%) of organizations detected only between 1 and 50 network threats over the past year, which suggests that these organizations underreported the number of actual threats they discovered and/or that they do not have sufficient means to identify, track, and respond to emergent risks. This latter point may very well be the case: not only do some healthcare providers and payers lack a leader in charge of information security at 19% and 8%, respectively, but an even greater percentage of both do not have a security operations center in place. (25% and 20%, respectively.)
Additionally, KPMG’s findings show a discrepancy between increased infosec investment and the adequate levels of security for business-critical resources. IT compliance/risk management ranks the highest in this category at 70%. Others, such as monitoring technical infrastructure resources for health and welfare and managing security risks, rank in considerably lower at 49% and 35%, respectively.
Greg Bell, who leads KPMG’s Cyber Practice, feels that the survey illustrates how many organizations may be underestimating the security threats facing them.
“Healthcare organizations that can effectively track the number of attempts have less cause for worry than those who may not detect all of the threats against their systems,” said Bell. “The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect.”
Bell is right. However, effective security requires more than just tracking. As the KPMG survey recommends, organizations need to adopt comprehensive information security strategies that apply to their entire business infrastructure, invest in security awareness training for their employees, and create security leaders/SOCs that are capable of identifying and mitigating security risks.
These efforts can be met by a unified effort on the parts of healthcare providers, device manufacturers, and legislators to replace outdate technology and improve medical device security over time.
“We’re going to get there,” Ebert said. “It’s just going to be harder for the health care industry because they’re that far behind.”
To read KPMG’s survey results in full, please click here.
Title image courtesy of ShutterStock