A vast majority—92%—of healthcare IT decision-makers reported that their organizations are either somewhat or more vulnerable to insider threats, and 49% felt very or extremely vulnerable.
According to the healthcare-focused results of the 2015 Vormetric Insider Threat Report (ITR), a full 62% of respondents identified privileged users—those who have access to all resources available from systems they manage—as the most dangerous type of insider. Partners with internal access and contractors ranked second and third, respectively.
The report pointed out that healthcare data has become highly desirable to bad actors, healthcare records selling for tens to hundreds of dollars. That’s much more valuable than credit-card information: US credit card records sell for 50 cents or less. The enormous detail available in patient records is the reason for this, making it possible for criminals to not only apply for credit cards or loans, but to generate large sums from fraudulent medical charges, or even to compromise a patient’s existing financial accounts.
The survey results indicate that data protection in healthcare organizations is driven largely by compliance requirements—54% reported compliance requirements as the top reason for protecting sensitive data, and 68% rated compliance as very or extremely effective at stopping insider threats and data breaches. Unfortunately, compliance standards evolve slowly, often with years between revisions. Threats to data, however, change quickly as new vulnerabilities are found and new attacks are developed. The result is that meeting compliance requirements is no longer enough to protect sensitive data.
With the combination of healthcare data becoming a very attractive target, and a high regard for compliance as an effective defense, it isn’t surprising that 26% of healthcare respondents reported that their organization had previously experienced a data breach. The fact that 48% reported that in the last year their organization had failed a compliance audit or encountered a data breach is also troubling, indicating possible problems with meeting even base-level compliance.
All of that said, the report also found that priorities appear to be changing—with respondents reporting that compliance is their second priority for IT security spending at 39%, behind preventing a data breach at 53%. The importance of data breach prevention increased 2.5 times from 21% just two years ago, a substantial change in attitudes (when compared against results reported for all respondents in the 2013 Vormetric Insider Threat Report).
63% of healthcare IT decision makers report that their organizations are planning to increase spending to offset data threats, the highest of any segment or region measured. That’s being driven by data breach prevention at 53%, fulfilling compliance requirements and passing audits at 39% and the protection of financial and other assets at 38%.
Respondents to the survey also identified the greatest planned spending investments in data-at-rest defenses (46%) and analysis/correlation tools (45%).
“Healthcare data has become one of the most desirable commodities for sale on black market sites, yet US healthcare organizations are failing to secure that data,” said Alan Kessler, CEO of Vormetric, in a statement. “An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk. What’s needed is for healthcare organizations to realize that compliance is not enough, and to implement the controls and policies required to put the security of their data first.”