August was a bad month for the healthcare industry. There were 11 reported data breaches ranging from stolen laptops to sophisticated attacks by professional Chinese hackers. Not only was August a bad month but 2013 was also a bad year. Of the 614 total reported data breaches last year, 43.8 percent occurred in healthcare, far and away the leading targeted industry by nearly 10 percent.
When you look back over the past few years for indicators as to why the healthcare industry is in the sights of cybercrimals more than others, with incidents up more than 100 percent in four years, there are several recurring themes.
- Their focus in on compliance, not security
- They’re under funded and understaffed
- Their information is more valuable than most records
Taken together, this is a recipe for disaster.
The rules for HIPAA compliance are well defined and penalties for non-compliance can be onerous. For example, in May New York Presbyterian Hospital and Columbia University Medical Center were fined $4.8 million for the disclosure of nearly 7,000 medical records because of lax technical safeguards.
However, you can be compliant but not secure, and vice versa. The FBI warned this April that the health sector, amid mandatory transition to electronic health records, lacked protections to ward off the rising threat of cybercrime. The time to implement the paper-to-digital transition was truncated, increasing the likelihood that gaps is system design, technology incompatibilities, training and policies would be plentiful. Throwing the Affordable Health Care Act into the mix, which created a one-stop-shop for individuals’ most sensitive information, is like sending an engraved invitation to come and get it (which some have already tried to do).
Even if healthcare IT professionals wanted to fortify their records security – which they no doubt would like to do – their industry is notorioiusly tight with a dollar when it comes to IT funding. Budgets in healthcare are typically less than three percent of revenue; a budget of 20 percent is common in the financial services and retail industries, which many say is still not enough to do all that they should be doing on the security front.
Making matters worse, the healthcare industry faces tougher notification requirements than most industries. It must adhere to a federal law that aims to protect patient privacy, as well as report data breaches that affect as few as 500 individuals, which continually reinforces its reputation as an easy target. In many cases even more stringent state notification laws apply as well.
Low budgets for IT and the increasing sophistication of attackers are leaving healthcare particularly vulnerable. Obviously, this has to change. The industry has to wake up to the fact that it’s under seige and its war chest needs fewer nickels and more dollars. On the staffing front alone, demand for IT security and compliance skills is practically insatiable, which means competing to acquire those skills requires more than table stakes.
The wide gap existing between the threat and the response is exascerbated by the fact that health information is valuable, as much as hundreds of times more valuable than a credit card record. The FBI estimates a health record goes for $50 on the black market, much more than the few dollars for a credit card numbers. Others estimate that a full identity profile contained in a single record can bring as much as $500.
They’re stealiing health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number … insurance or prescription fraud, for example. A credit card can be canceled within hours of its theft, but information in a patient’s health record lives on forever. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity. Even if credit card numbers are what criminals are after, then a hospital is likely to pose much less of a challenge than a retailer.
As businesses worldwide have sought relief in cloud computing, so now is the healthcare industry, particularly for cloud storage and back-up. Despite the fact that many in healthcare profess little confidence in cloud computing, the magnitude of their security, compliance, budget, skills acquisition and data storage challenges are compelling them to find alternative solutions.
These are a few of the reasons cloud computing makes sense for the healthcare industry.
- Having both compliance support, as well as logical and physical security as core competencies
- A managed, redundant and audited IT infrastructure built with best-of-breed technologies
- A challenging professional environment that attracts top talent
- Knowledge base constantly updated through daily operational experience with the IT operations of hundreds of customers
- Rapid-response provisioning and resource scaling
- Efficient, effective and regularly tested disaster recovery solutions [Is this confusing? DR wouldn’t be tested or provided unless a customer purchased a DR solution. Does this suggest it happens automatically?]
- Multiple Internet and telecom service providers, with over-provisioned bandwidth
- Datacenter oversight and technical support that never sleeps
- The cost benefits of a multi-tenant architecture and volume purchasing power
There are many more, including professionally managed security services and unlimited growth potential. However, one thing is stands out. Given the current and ever-worsening attack threat in the face of continuing cost-reduction pressures, having capable business associates to share the load and help make room for healthcare IT pros to attend to other pressing business issues is a strategic and operational necessity.