Late last year, Quest Diagnostics divulged that their patient records had been breached by hackers, gaining access to extremely sensitive patient information, and quite personal for any individual impacted by this cyber breach. In this case, digital intruders stole personal information through a mobile app that lets patients store and share electronic health records.
Luckily, the stolen data from Quest did not include Social Security numbers, credit card accounts, insurance details or any other financial information, according to Quest. Any breach, especially those involving Personally Identifiable Information (PII), is detrimental, but it could have been a lot worse. Quest and others that have faced the aftermaths of a data breach know this all too well.
Quest is taking the right steps to work with an external cybersecurity team to review its security plans as well as law enforcement to review the security incident itself. But these breaches are becoming more common and costly. In fact, the average cost for breached healthcare companies is $398 per compromised record, according to the Ponemon Institute.
And vulnerability is high. A survey conducted by the American Health Lawyers Association along with media research company Bloomberg Law, found that attorneys overwhelmingly (87%) think the healthcare industry is vulnerable to hacks. Additionally, in a HIMSS survey, 80% of providers in 2016 admitted that their organization had experienced a recent “significant security incident.” Attorneys have since become intimately involved in managing cybersecurity issues for their healthcare clients, helping organizations to protect themselves against these threats. Legal counsel is helping their healthcare clients be more proactive, and develop a data loss prevention (DLP) strategy. And business is booming.
Yet, despite all this, healthcare providers are averaging less than 6% of their information technology budget expenditures on security, based on a March 2016 survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society (HIMSS), and security firm FairWarning. If these patient records are so valuable, and vulnerable, why such a small fraction of the budget spent on protecting them?
Stop the Bleeding
Overall, healthcare security budgets and strategies are failing to keep up with the pace of malicious cyber criminals. As clinicians become more mobile and work is done outside of the hospital, historical perimeter layers of security is not enough. Instead, IT needs to find innovative new ways to protect the health data they are storing while still enabling and increasing productivity of their clinicians who are roaming from hospital to hospital on varying devices. Measures that many are now taking focus less on the firewall and more around protecting the individual clinician while still making them productive. Such tools include:
- Dynamic access – limit system access for clinicians based on their identity and role so that hackers can’t take advantage of unrestricted access controls.
- Application whitelisting and read-only blanketing – prevent accidental clicks from executing malware or unauthorized apps by granting clinicians access to run only authorized applications based on their roles.
- Digital endpoint controls - secure all digital entry points into healthcare networks including portable drive ports to keep malware from entering the environment.
- Automation – automatically delivering and removing the right level of access based on automation and workflow a standard approach is created. This approach is automated so it removes human error and creates an auditable and traceable path for system access.
At RES, we believe that healthcare IT leaders need a way to protect the business from external and internal threats with a unique people-centric approach to:
- Reduce risk and ensure compliance
- Manage worker-related system and data security through automation and a single, flexible identity
- Drive clinician productivity with secure access and automated service delivery
Visit www.RES.com/Security to learn more about how RES ONE Security can help you outpace cyber criminals, and keep your people (and data) protected.
*Following the launch of RES ONE Enterprise on February 21, 2017, RES ONE Service Store is now RES ONE Identity Director and RES ONE Suite is now RES ONE Enterprise.