2017 Thales Healthcare Data Threat Report: Organizations Spending Big on Cyber-Security
Digitization of healthcare records contributing to data security risks
Thales, a leader in critical information systems, cybersecurity and data security, announces the results of its 2017 Thales Data Threat Report, Healthcare Edition, issued in conjunction with analyst firm 451 Research. Eighty-one percent of U.S. healthcare organizations and 76% of global healthcare organizations will increase information security spending in 2017. These numbers are reflective of an industry undergoing rapid technological and social change in the form of electronic health records and increasingly digitized personal health data.
The Double-Edged Sword of Digitization
In the U.S., government regulations such as the HITECH Act’s Electronic Patient Care Reporting (ePCR) requirements are driving healthcare organizations to digitize their data. While this digitization creates efficiency, it comes at a hefty price: individual healthcare data is exposed to more people, in more places and on more devices, including smartphones, laptops and increasingly, Internet of Things (IoT) devices.
Despite the risks that come from increased access points, 60% of U.S. healthcare respondents reported their organization were deploying to cloud, big data, and IoT or container environments without adequate data security controls. The healthcare industry is also adopting some of these technologies for sensitive data use wholesale, with 69% of U.S. respondents leveraging SaaS, 59% big data, 46% mobile and 35% IoT environments. These numbers may explain why 90% of U.S. healthcare respondents feel vulnerable to data threats and why cybersecurity spending increases by U.S. healthcare companies leads that of all other vertical markets surveyed, including the government and financial sectors.
Compliance Playing Location-Dependent Role
Compliance requirements also drive data security decision-making in U.S. healthcare, with 57% of respondents listing it as the top spending impetus. But, compliance ranks near the very bottom of spending drivers among global healthcare respondents. Instead, the top two motivations for security spending are “preventing data breaches” (39%) and “protecting reputation and brand” (also 39%). These findings further underscore the differences between the United States’ privately focused healthcare system, and its emphasis on regulations like HIPAA-HITECH, EPCS and others versus areas of the world where healthcare is less regulated or primarily government-operated.
Encryption Playing Larger Role in Healthcare Data Protection
Across the board, encryption is the technology of choice when it comes to protecting sensitive data residing within cloud, IoT and container environments. Sixty-five percent of U.S. healthcare respondents and 58% of global healthcare respondents opt to encrypt data in the public cloud, with the survey yielding similar numbers for IoT data (59% U.S.; 58% global) and container data (58% U.S.; 60% global).
Data sovereignty, a hot topic in light of concerns about new privacy regulations and government snooping, is also spurring encryption adoption. The technology is the clear choice for satisfying local data privacy laws such as the EU’s General Data Protection Regulation (GDPR) by 66% of global healthcare respondents.
Despite the healthcare industry’s growing interest in encryption, many organizations remain stubbornly focused on network and endpoint security. Network security is still the top choice for U.S. healthcare spending by a wide margin (69%), compared to 53% of global respondents. Endpoint security, at 61%, isn’t far behind. While network and endpoint technologies are a required element of an organization’s IT security stance, they are increasingly less effective at keep external attacks at bay, and in securing cloud, big data, IoT and container deployments – which result in data being distributed, processed and stored outside corporate network boundaries.
Peter Galvin, VP of strategy, Thales eSecurity says:
“Globally and in the U.S., healthcare companies are under pressure. In Europe, we see data sovereignty’s impact on security decision-making. In the U.S., digital innovation is transforming the way patient information is created, shared or stored.. For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of internet-connected heart-rate monitors, implantable defibrillators and insulin pumps. Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”
Healthcare organizations interested in improving their overall security postures should strongly consider:
- Deploying security tool sets that offer services-based deployments, platforms and automation
- Discovering and classifying the location of sensitive data, particularly within IoT and container environments
- Leveraging encryption and “Bring Your Own Key” (BYOK) technologies for the cloud and other advanced environments
Please download a copy of the new 2017 Thales Healthcare Data Threat Report for more detailed security best practices.
Visit Thales at booth #7082, HIMSS Conference, Orlando, Florida, February 19-23, 2017.
For industry insight and views on the latest key management trends check out our blog www.thales-esecurity.com/blogs.
The data in this study is based on Web and phone interviews of 1,105 senior executives in Australia, Brazil, Germany, Japan, the U.K. and the U.S. Most have a major influence on or are the sole decision maker for IT at their respective companies.
Respondents represented the following industries: automotive; education; energy; engineering; federal government; healthcare; IT; retail; and telecommunications.