Healthcare Industry Finds Itself Falling Behind on Data Security Front

Posted on by Tony Kontzer

With the healthcare industry having put so much energy in recent years to the transition to electronic healthcare, and to protecting patient privacy through regulations like the U.S.'s Healthcare Insurance Portability and Accountability Act (HIPAA), one would assume the sector has been addressing security sufficiently.

That would be a dangerous assumption.

Recent events haven't just highlighted the significant information security challenges faced by healthcare providers; they've called into question the ability of providers to meet those challenges in a world where patients are managing their care via mobile devices and web-based provider interfaces. From vulnerabilities in medical devices and poor information-protection practices to rising malware and ransomware incidents, the industry, which is on its way to accounting for 20 percent of the U.S. economy, is finding itself besieged on all fronts.

For starters, the Protenus Breach Barometer, a monthly snapshot of healthcare industry security breaches taken from data compiled by, recently reported that two-and-a-half times as many patient records (1.5 million) in the U.S. were breached in March than in January and February combined. Just as disturbing was the finding that 44 percent of incidents reported in March were tied to insider threats, with almost all of the damage tied to insider wrongdoing as opposed to error.

Meanwhile, taking a longer view, Symantec’s 2017 Internet Security Threat Report found that security measures in healthcare lags behind those of other regulated industries, and that healthcare data breaches rose by 22 percent last year, from 269 in 2015 to 328 in 2016.

Throw in the results of a recent Accenture survey that found that one in eight patients in the U.S. have had their healthcare records stolen from a provider, and that only 20 percent of the affected patients say they were informed of the breach by the provider, and it's clear the industry has some major problems.

As of on cue, the industry got its latest reminder of those problems when Lifespan, a Rhode Island-based healthcare network, recently informed 20,000 patients that some of their healthcare data had been compromised when an employee's laptop was stolen from his vehicle in February. While the company made clear that the stolen information did not include patient social security numbers, financial data, or any clinical details, the incident puts a spotlight on just how far healthcare providers have to go if they're going to keep patient data safe.

Unfortunately, one of the most glaring areas of weakness for the industry is also perhaps the hardest to address: The total lack of security expertise in most provider organizations. Josh Corman, director of the cyber statecraft initiative for international affairs thinktank the Atlantic Council and co-founder of trustworthy computing nonprofit, addressed the topic at this week's Source Boston conference, telling attendees that three quarters of healthcare delivery organizations lack a single qualified security person on staff.

“There’s no one there to apply patches, receive threat intelligence, or respond to emergencies,” Corman said. “It’s basically nurses and medical technicians. There’s no one there.” 

The vulnerability of the healthcare industry also has gotten recent attention from the Food and Drug Administration, which is especially concerned about vulnerabilities in medical devices that could be used to cause harm directly to patients, although no such incidents have been recorded yet. 

Zach Rothstein, associate VP at the Advanced Medical Technology Association, told political news site The Hill told political news site The Hill that the FDA is making a concerted effort to have more eyes watching the henhouse.

"You're starting to see FDA hire software experts so that internally they have more capabilities to evaluate cyber security programs of these companies," said Rothstein. 

It's a long way from taking a more watchful approach to sufficiently locking down healthcare data, but at least the issue is getting more attention.

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community