By Axel Wirth, healthcare solutions architect, Symantec
Securing patient data and protecting healthcare’s IT infrastructure in today’s cyber landscape is fraught with challenges, and risk looms around every corner. From safeguarding medical devices to adopting the cloud to properly training employees, healthcare organizations need all the help they can get when it comes to cyber security. In 2017 alone, the Office of Civil Rights in the U.S. Department of Health and Human Services reported 295 healthcare providers suffered a breach of more than 500 records. These reported breaches affected a total of 4,770,889 individuals – and most of these breaches could have been mitigated with proper technology, protocols, and training.
Healthcare is an industry highly targeted by hackers and recovering after a breach is getting costlier than ever for healthcare organizations. A recent study found the average cost of a data breach per lost or stolen record was $380 for healthcare compared to $245 for financial services. Additionally, the Symantec 2017 Internet Security Threat Report found that healthcare saw a 22 percent increase in breaches from the year before, as hackers finely tune their attacks.
That’s not to say healthcare isn’t making improvements. In fact, the third annual Symantec and HIMSS Analytics “IT Security and Risk Management Study,” which gathered insight from more than 100 hospital executives, IT professionals, and clinical leadership, found that that the cyber security tide in healthcare has started to turn. But is it turning quickly enough?
Survey respondents said that healthcare organizations are beginning to implement practices that demonstrate a more mature understanding of cyber security. In fact, the survey revealed that cyber security is no longer considered solely an IT responsibility or compliance issue. This is a sizable shift from the previous year – in 2017, 94 percent of respondents said risk assessment was one of the top three drivers for security investments, compared to just 74 percent in 2016.
Additionally, survey respondents said that C-Suite executives are taking cyber security more seriously, with more organizations using risk frameworks like the National Institute of Standards and Technology’s Cyber Security Framework or the Health Information Trust Alliance. Eighty (80) percent of C-Suite executives are also taking a more hands-on approach to cyber security by including security briefs at board meetings (whether formal or ad-hoc) and proactively discussing risks.
While healthcare leaders are making strides in cyber security, the pace of change is not fast enough to stave off the high volume of attacks, particularly as the IT environment becomes more complex with medical devices and cloud migrations. A majority (71 percent) of respondents are unsure of the cloud and how to secure it, even though three of four providers are already using it in some way. And, 95 percent of respondents identified more than one obstacle to securing medical devices, and have widespread concerns about implementing security measures to these devices.
Respondents also indicated they are less confident in their organization’s ability to fend off attacks than they were the year before. While 73 percent of respondents identified “budget” as the most significant barrier to improving their security programs, they also identified “staffing” and “skillsets” as additional barriers. The survey also revealed that security spend has remained flat for the past three years, with only 6 percent of IT budgets dedicated to security – so while threats are on the rise, investments are not.
These are major concerns for the industry – so what can healthcare leaders do to combat new threats and improve their security postures? For those attending the HIMSS conference in Las Vegas this week, we hope to continue this conversation. At Symantec, we recommend the following for healthcare providers seeking to advance their risk management program:
- Create a culture of cyber security through awareness and increased training across the organization and as appropriate for the respective roles.
- Implement an integrated cyber defense platform rather than deploying a collection of point products and solutions.
- Assure a homogeneous security approach spanning from traditional endpoints and networks to mobile devices and cloud applications.
- Ensure all necessary stakeholders (IT, Legal, PR and Communications, Clinical Staff, Executives, etc.) are involved in Incident Response planning.
- Continue to engage the Board on security strategy and enable security risk understanding from a business perspective.
Cyber security concerns in healthcare aren’t going away anytime soon. For healthcare IT leaders, executives, and patients, securing data is crucial to keeping hospitals and providers open, operating, and providing the best level of care possible while protecting their patients’ data. As IT environments become more complex, due to the proliferation of medical devices and the shift to cloud, healthcare providers must continue to build on the progress made in elevating security to the business level, while deploying technology and policies that enable them to protect data no matter where it resides.
About The Author
As a Solutions Architect, Axel Wirth provides strategic vision and technical leadership within Symantec’s Healthcare Vertical, serving in a consultative role to healthcare providers, industry partners, and health technology professionals. Drawing from over 25 years of international experience in the industry, Mr. Wirth is supporting Symantec’s healthcare customers to solve their critical security, privacy, compliance, and IT management challenges. He is an active participant in industry organizations and a frequent speaker at conferences, forums, and webcasts on subjects such as cyber security, medical device security, mobile health infrastructure, compliance automation, IT infrastructure optimization, and other healthcare-specific topics. His extensive background in the healthcare IT and medical device industries includes engineering leadership as well as strategic business development and marketing roles with Siemens Medical, Analogic Corp, Mitra Inc., Agfa Healthcare, and currently Symantec Corp. He holds a BS Electrical Engineering degree (EE) from Fachhochschule Dusseldorf and an MS Engineering Management degree (MSEM) from the Gordon Institute of Tufts University.