Is Healthcare Less Secure Than Retail?
By Megan Williams, contributing writer
The news of the last six months has been riddled with reports and follow-ups on the implications of retail data breaches. Target was hit with more than 90 lawsuits as a result of the attacks, and the retail world came under fierce scrutiny for its security practices. What many don’t realize, is that there is an even bigger potential vulnerability in the healthcare industry.
BitSight Technologies addresses the issue in its May 2014 industry report “Will Healthcare Be The Next Retail?”
BitSight assesses individual companies’ security performance on a daily basis, by aggregating data around observed security events like communication with a botnet, malware distribution, and spam propagation. In its efforts to assess the security performance of the U.S. economy as a whole, they analyzed companies on the S&P 500 in February of this year. The analysis includes a breakdown of the results of four industries: finance, utilities, retail, and healthcare and pharmaceuticals. The study covered dates ranging from April 1, 2013 to March 31, 2014.
Healthcare Has High Incident Volume, Slow Response Time
The healthcare sector was found to have much in common with retail, including high volumes of security incidents and slow response times. Over the studied time period, the healthcare and pharmaceutical industries actually saw an increase in security performance, ending the period with a score close to that of retail, at 660 (retail came in at 685). The ratings of the companies in the industry ranged between 410 and 820. Again, like retail, the industry exhibited a wide range of ratings. Healthcare also saw the largest percentage increase in security incidents of all four industries, and exhibited the longest breach event duration (5.3 days).
Findings Confirm Vulnerabilities
The results of the study confirm the findings of the SANS 2014 Health Care Cyber Threat report, which found “exploited medical devices, conferencing systems, web servers, printers, and edge security technologies all sending out malicious traffic from medical organizations. Some of these devices and applications were openly exploitable (such as default admin passwords) for many months before the breached organization recognized or repaired the breach.”
Chandu Ketkar, Technical Manager at Cigital, found similar issues when he assessed organizational security in relation to medical devices used in clinics and hospitals around the country. “Weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings that can compromise data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks.”
Does Healthcare See Security As A Business Issue?
The study also revealed that, unlike financial institutions and electric utilities, health and pharmaceutical did not see cyber security as being a business issue. This is likely the core issue behind the industry not spending enough resources to protect their very sensitive data.
A second issue may lie in compensation of executives. According to a Ponemon study, “2013 Salary Benchmark Report,” health and pharmaceutical ranked lowest for compensation of IT staff. This reflects the industry tendency to only spend enough to meet base compliance with regulations such as HIPAA, which frequently are not enough to bring an organization to a genuine state of security.
Healthcare also has a very specific issue around the theft and loss of laptops, servers, and other devices that contain patient data. This reflects the findings of a recent Verizon data breach report that found that theft and physical loss accounted for 46 percent of industry breaches.
It is quite apparent that healthcare is in need of not only increased security measures across the board, but that it also needs a cultural shift that steers it in the direction of treating security as more than just an afterthought, or the responsibility of regulatory bodies.
For more insight into your healthcare clients’ security needs around data breaches check out our articles on the topic.