Healthcare Sector Security Woefully Weak, Survey Says

The healthcare industry has become the favorite playground for many cybercriminals, suggests a report Trustwave released earlier this month.

Of the 398 full-time healthcare professionals surveyed, 91 percent of information technology respondents and 77 percent of nontechnical respondents believed criminals increasingly were targeting healthcare organizations.

However, healthcare organizations allocated only 10 percent or less of their IT budgets to cybersecurity and protecting patient information.

“Finding an agreement on resource allocation is much more difficult [for healthcare organizations] due to the number of individuals in the decision-making process,” said Derek Clark, a sales manager at Trustwave.

Further, healthcare organizations “have much more bureaucratic issues to deal with than other organizations,” he told the E-Commerce Times. “In many cases, there are numerous hoops to jump through to implement security standards [and] these organizations can also be very siloed, with one department focused on vulnerabilities, another on PCI, and one on database security. This can sometimes create adversarial relationships.”

Breach Fears

Losing patient data was a greater concern than losing other information for 79 percent of technical respondents and 77 percent of non-techies.

Fears of a breach haunted 74 percent of technical respondents and 51 percent of non-techies.

A shortage of cybersecurity staff and expertise concerned 35 percent of technical respondents, and 34 percent of tech respondents said their organization performed vulnerability testing only once a year.

Nontechnical respondents were of two minds about breaches: Severnty-seven percent of them believed criminals were increasingly targeting healthcare organizations, but 86 percent believed their organization had not yet been hit.

In the Bad Guys’ Sights

Healthcare is indeed a major target for cybercriminals, Raytheon|Websense found in a report released last month. The healthcare sector experiences 340 percent more security incidents and attacks than the average for other industries, and it is more than 200 percent more likely to encounter data theft.

Advanced malware is used in one of every 600 attacks in the healthcare sector. Compared to other sectors, healthcare is four times more likely to be hit by advanced malware.

Cyberattacks included all security incidents, ranging from lures encountered to links clicked, to redirects from websites to phishing attempts, Bob Slocum, Raytheon|Websense’s product marketing manager, told the E-Commerce Times.

The healthcare sector is 74 percent more likely than other sectors to be hit by phishing schemes, Raytheon/Websense found.

“It’s simple economics,” noted John Gunn, vice president of communications at Vasco Data Security. “Hackers are attacking targets with highest-value assets.”

They can get Social Security numbers from healthcare organizations, for instance.

Companies in healthcare “are lagging behind, and unless they greatly increase their investment in the people and security solutions necessary to protect their assets, they’ll remain the target of choice for criminals,” Gunn told the E-Commerce Times.

Protecting those assets is not going to be easy, though.

Healthcare organizations “need to guard thousands of gates into [their systems],” noted Jeff Hill, channel marketing manager at Stealthbits.

“The bad guys only have to successfully penetrate one,” he told the E-Commerce Times.

Contributing Factors

The digitization of medical records is proceeding apace, further compromising the security of healthcare organizations.

Wearables — notably smartwatches and smartphones — may create another avenue of attack for hackers.

“Within the hospital environment, clearly, security has to be addressed, and device and system manufacturers will increasingly have to demonstrate security has been addressed in their offerings,” said Jonathan Collins, principal analyst at ABI Research.

Security for smartphones and smartwatches is a separate issue, but they “may over time become gateways for medical information which would require specific security provisions before they could be included in any diagnosis system,” he told the E-Commerce Times, “rather than just providing additional context regarding the patient’s well-being.”