Comment: Security breaches cost health care industry £4bn annually

According to a recent Ponemon study, the economic impact of each security breach was £1.2m per health care organization over a two-year period
According to a recent Ponemon study, the economic impact of each security breach was £1.2m per health care organization over a two-year period

According to a new Ponemon Institute study sponsored by ID Experts, the health care industry continues to incur security breaches costing them £3.8bn a year. Only last year medical records belonging to patients at a hospital near Falkirk in the UK were found in a car park.

Despite regulations such as HIPAA, health care organizations are struggling to protect patient data. Sixty percent of respondents to the Ponemon study said they have suffered two or more security breaches in the past two years. The top causes of breaches were “unintentional employee action, lost or stolen computing devices, and third-party accidents”. The economic impact of each security breach was a whopping £1.2m per organization over a two-year period.

Security breaches have resulted from a lack of preparation and staffing, with most organizations having fewer than two people dedicated to data protection management. According to Doug Pollack, director of privacy and security at ID Experts, “revenue trumps privacy”.

However, there are a few things that cost-conscious health care organizations can implement to protect their patients’ private data:

  • Ensure all communication with patient records is sent securely, requiring authentication
  • Utilize content monitoring to prevent all patient information from going across unsecure email

With the cost of security breaches reaching a mind-boggling £3.8bn a year, it’s hard to understand why health care organizations haven’t taken the steps to secure patient records. It is far too easy for that information to get into the hands of data brokers and identity thieves using it for their own financial gain at the cost of patient care.

The solution: secure file transfer

There is an easy way to greatly reduce the risk of data breaches while removing the temptation for users to circumvent IT security measures. Organizations can implement an enterprise-wide secure file transfer solution that’s easy to use, easy to integrate, and easy to manage.

The best secure file transfer solution supports two-way communication among all authorized users, including partners and trusted users outside the organization. It enables users to send files securely over channels that can be monitored and managed by the IT department without relying on FTP, data sticks, or other unsecured methods.

Reporting tools confirm which files have been received, who accessed them, and when. Employees are not tempted to abandon the secure solution as soon as they need to transfer files to a recipient who might not already have an account. The solution enables secure communication with the organization’s community of business users, adapting as that community grows and evolves.

By adopting a secure file transfer solution and abandoning risky file-sharing practices, an organization can better protect its confidential data and simplify compliance with industry regulations and data-security laws.

Best practices for implementing secure file transfer

Like any technology, secure file transfer solutions can be implemented in various ways, impose various demands, and achieve varying levels of success. Following is a list of best practices for implementing a secure file transfer solution:

1. Ensure ease of use and transparency to users

Make secure file transfer so transparent and easy that employees are no longer tempted to use alternatives, such as private file transfer accounts or Gmail. Best-of-breed solutions can be integrated to work with email systems, web browsers, and other business applications that employees use every day.

2. Disable FTP and delete old files stored on FTP servers

FTP, whilst ostensibly secure, is too cumbersome to manage, administer and use. End users need unique, password-protected accounts that can often take days or weeks. This delay prompts users to seek alternatives. Why wait for a special FTP account when you can send the file immediately with Gmail or post it on a free file-sharing site like drop.io?

When employees do use FTP, other problems result. FTP servers become repositories for old, untended confidential files that have not been deleted. Clogged servers become targets for hackers, and unscrupulous FTP users may pore through directories, looking for interesting data.

3. Block P2P programs and warn employees about the dangers of P2P

P2P clients are among the most popular software downloads, but few users realize just how risky P2P file-sharing really is. The default configurations of many P2P clients broadcast data from local hard drives. Users are often too swept up with their new music or movies to notice.

4. Extend secure file transfer capabilities to IM

By integrating a secure file transfer solution with IM clients, organizations can achieve two important goals. First, they can ensure that file transfers over IM are secure and well-managed. Second,the secure file transfer solution becomes the sole platform and repository of record that users trust for transferring files, regardless of the client technology being used: web browser, email client, or even IM.

5. Protect files in transit

Protect files in transit with SSL, data encryption, and password authentication.

6. Protect files at rest

Protect files at rest with data and disk encryption and password authentication.

7. Let authorized users help themselves

Enable business partners and other trusted outsiders to easily gain access and use the same secure file transfer system for sending and receiving files. Eliminate the need for IT managers to manually create accounts before files can be transferred.

8. Set policies that limit the sharing of confidential information via courier services

There are some situations that require paper originals and the use of courier services. But in many cases, sending files electronically is faster, safer, and more secure. Another benefit is that it consumes much less energy and results in less pollution. A secure file transfer solution is ‘greener’ than courier services relying on airplanes and trucks.

9. Audit file transfers to ensure best practices and industry regulations are being met

By monitoring file traffic and account activity, while keeping an eye on the use of courier services, Gmail, and other communication channels, IT and security personnel can gain an understanding of which users and departments might be clinging to their old habits and putting data security and regulatory compliance at risk.

10. Educate employees and include secure file transfer policies in overall security guidelines

Educating users is an essential step for IT security. Organizations should document their file transfer policies, explain the risks of applications such as P2P and IM, and train users on using a secure file transfer solution.

Once users recognize the risks of unsecured and unauthorized file-sharing methods and understand the capabilities of the secure file transfer solution at their fingertips, they are less inclined to resort to using alternatives. It will also enable IT departments to more quickly and thoroughly meet the demands of compliance officers and regulators.


Dr. Paul Steiner joined Accellion in 2001 as senior vice president - Europe. Prior to joining Accellion he held positions as vice president international - Europe at AboveNet Communications and managing director of Europe, Africa, Middle East and India for NetCom. As a management consultant with McKinsey & Co., in Munich, Germany, Steiner’s clients included Daimler Benz, Europe’s largest copper refinery, and leading German firms in banking, insurance, retail and publishing. Steiner also co-founded NETWAY in 1995, one of the first ISPs, which grew to be the leading Austrian ISP before being sold to UTA/Tele 2 in 2001. Steiner completed a PhD and MSc in petroleum engineering from Leoben Mining University, and an MBA from the University of Michigan.

Accellion is exhibiting at Infosecurity Europe 2011 – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from 19th – 21st April at Earl’s Court, London, the event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit the event’s website.

What’s Hot on Infosecurity Magazine?