Despite Risk, Healthcare Prioritizes Compliance Over Data Security

Written by

The majority of IT security leaders in healthcare feel vulnerable to data threats—but are still prioritizing compliance ahead of anything else.

That’s the word from the Healthcare Edition of the 2016 Vormetric Data Threat Report (DTR), issued in conjunction with analyst firm 451 Research. A full 96% said that they are bracing for an attack on the personal information that they house in their databases. And no wonder: About 63% have experienced a past data breach, with nearly one in five indicating a breach in the last year.

This state of affairs is mainly due to complexity (according to 54% of respondents) and lack of staff (38%), which are identified as top barriers to adoption of better data security.

Going forward, the good news is that 60% are increasing spending to offset threats to data, and 46% increasing spending on data-at-rest defenses this year. But at 61%, meeting compliance requirements remains the top IT security spending priority, with preventing data breaches well behind at 40%. Reputation and brand (49%) and implementing security best practices (46%) were the other priorities.

“With adherence to a myriad of federal and industry regulations as well as compliance standards creating a minimum requirement for doing business, it’s no surprise that IT security professionals in the healthcare field are focused on meeting compliance requirements including HIPAA-HITECH, EPCS, PCI DSS and FDA CFR Title 21,” the report noted.

But, 69% of US healthcare respondents view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, despite the fact that slow moving compliance standards consistently fail to stop today’s multi-phase attacks.

“Compliance is only a step towards Healthcare IT security,” said Garrett Bekker, senior analyst, information security at 451 Research and the author of the report. “As we learned from data theft incidents at healthcare organizations that were reportedly HIPAA compliant, being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”

This, even as healthcare data has become a prime target for cyber-criminals. With records selling for hundreds of dollars, it’s no wonder healthcare professionals feel they are in a cyber-criminal’s crosshairs. When asked about concerns with external threat actors, 72% chose cyber-criminals as a top three selection, 39% as the number one selection.

 “IT security professionals are spending heavily on what has worked for them in the past,” said Bekker. “They are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached.”

A full 79% rated network defenses as ’very’ or ‘extremely' effective at protecting data, and 64% rated endpoint and mobile defenses. The top category for increased spending over the next 12 months among healthcare respondents is network defenses, at 49%.

The report also found that with more work being done on mobile devices by medical professionals, and more connected wearables for general health and outpatient use, this is becoming a prime area of concern for the future of healthcare. Data needs protecting on the device, in transit as well as within backend repositories and analysis sites. About 38% of healthcare organizations are planning to store sensitive data in IoT environments.

“With the boom in black market sales of healthcare data, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast,” said Tina Stewart, vice president of marketing for Vormetric. “Yet compliance requirements that can’t completely safeguard data continue to be the driver for healthcare industry IT security practices. For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start.”

Photo © angellodeco

What’s hot on Infosecurity Magazine?