The regulatory environment in healthcare is becoming increasingly complex, but healthcare organizations are still managing to keep up. Unsurprisingly, this has created an environment where compliance with regulations frequently takes precedence over actual security.
This fact is illustrated in a recent study, the 2016 Vormetric Data Threat Report: Trends in Encryption And Data Security, Global Edition (available here). This latest iteration of the report addresses the new threat environment in which organizations are functioning, specifically the evolution of the cyber attacker and increased awareness of the value of protected health information (PHI) and other forms of protected data.
Information from the report is taken from a survey conducted between October and November of 2015 that involved over 1,100 senior security executives from regional markets including the U.S., U.K, Japan, Germany, Brazil, Mexico, and Australia.
The Compliance-Security Paradox
One key takeaway from the report is compliance does not guarantee security. Across the industries surveyed, 61 percent of organizations had experienced a breach but, at the same time, this was not (nor was the breach of a competitor) the primary driver for taking action to secure data
It appears compliance is the most powerful motivator around security decisions, and it’s one that leaders see as effective. According to the report authors, “While we were encouraged to see the shift toward implementing security best practices, many security executives across the globe still appear to equate compliance with security — nearly two-thirds (64 percent) of our respondents viewed compliance requirements as either ‘very effective’ or ‘extremely effective’ in preventing data breaches, up from 58 percent last year.”
The challenge here is that compliance and security frequently exist on different planes, and even organizations that comply with regulatory security standards are vulnerable to cyberattacks.
A Promising Outlook
Still, organizations seem to be coming around to the idea that compliance isn’t enough and, as a result, best practices are becoming more common. “However, there are some signs that other motives for securing data are gaining momentum,” the report’s authors note. “Reputation and brand protection retained its top spot and was selected by nearly 50 percent of respondents. Implementing security best practices remained in third place but showed the largest year-over year increase of any category, increasing from 39 percent to 44 percent.”
As for healthcare, we’re seeing promise of increased investment in security, with 64 percent of respondents indicating plans to increase spending. The industry has also shown one of the highest rates of faith in the effectiveness in compliance mandates, coming in behind only IT at 21 percent of respondents indicating they believe compliance mandates prevented data breaches.
Overall, these findings represent a need for vendors to have conversations with their clients around not only their attitudes toward compliance, but also risk profiles, and expectations of security in a modern threat environment.