63 Percent of Healthcare IT Security Professionals Experienced a Data Breach, 96 Percent Feel Vulnerable
Continued focus on compliance ahead of data breach prevention 2016 Vormetric Data Threat Report – Healthcare Edition
SAN JOSE, Calif. – April 13, 2016 – Thales e-Security, a Thales company, and a leader in enterprise data protection for physical, virtual, big data, and cloud environments, today announced the results of the Healthcare Edition of the 2016 Vormetric Data Threat Report (DTR). The report is issued in conjunction with analyst firm 451 Research, reporting responses from 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. healthcare organizations. This edition of the fourth annual report extends earlier findings of the global report, focusing on responses from IT security leaders in healthcare, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances. Key findings:
- 96 percent feel vulnerable to data threats
- 63 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year
- At 61 percent, meeting compliance requirements was the top IT security spending priority, with preventing data breaches well behind at 40 percent
- Complexity at 54 percent, and lack of staff at 38 percent, are identified as top barriers to adoption of better data security
- Bright spots include 60 percent increasing spending to offset threats to data and 46 percent increasing spending on data-at-rest defenses this year
Healthcare data has become a prime target for cybercriminals. With records selling for hundreds of dollars it’s no wonder healthcare professionals feel they are in a cybercriminal’s crosshairs. When asked about concerns with external threat actors, 72 percent chose cybercriminals as a top three selection, 39 percent as the number one selection.
Compliance continues to drive healthcare organizations – But compliance is not enough
With adherence to a myriad of federal and industry regulations as well as compliance standards creating a minimum requirement for doing business, it’s no surprise that IT security professionals in the healthcare field are focused on meeting compliance requirements including; HIPAA-HITECH, EPCS, PCI DSS and FDA CFR Title 21. With this in mind, the top three reasons to secure sensitive data were:
- Compliance (61 percent)
- Reputation and brand (49 percent)
- Implementing security best practices (46 percent)
The problem? 69 percent of U.S. healthcare respondents view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today’s multi-phase attacks.
“Compliance is only a step towards Healthcare IT security,” said Garrett Bekker, senior analyst, information security, at 451 Research and the author of the report. “As we learned from data theft incidents at healthcare organizations that were reportedly HIPAA compliant, being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
Times have changed – security strategies, not so much
“IT security professionals are spending heavily on what has worked for them in the past,” said Bekker. “They are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached.”
- 79 percent rated network defenses as ’very’ or ‘extremely effective’ at protecting data, and 64 percent rated endpoint and mobile defenses
- The top category for increased spending over the next 12 months among healthcare respondents? Network defenses at 49 percent
What’s keeping healthcare professionals from implementing data security?
A perception of complexity was identified as the number one barrier to adopting data security widely, selected by 54 percent of healthcare respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.
Complex deployments also typically require significant staffing, and ‘lack of staff to manage’ came in as the second highest barrier at 38 percent, followed by lack of organizational buy in at 33 percent and lack of budget at 30 percent.
IoT, Cloud and Big Data challenge healthcare IT security practices
IoT: With more work being done on mobile devices by medical professionals, and more connected wearables for general health and outpatient use, this is becoming a prime area of concern for the future of healthcare. Data needs protecting on the device, in transit as well as within backend repositories and analysis sites.
- 38 percent of healthcare organizations are planning to store sensitive data in IoT environments
- Their number one concern? Privacy violations related to IoT data (37 percent) and protection of IoT data (36 percent)
Cloud: Healthcare providers have many concerns with cloud usage, but are storing sensitive data at breakneck speed. Top concerns included
- Privileged user abuse at the cloud provider level (74 percent)
- Meeting compliance requirements (72 percent)
- And security breaches at the cloud provider level (69 percent)
Even so, 48 percent will use Software as a Service (SaaS) environments, 52 percent Infrastructure as a Service (IaaS) and 52 percent Platform as a Service (PaaS) resources within the next 12 months.
Encrypting data and maintaining local control over keys was the number one factor that would increase healthcare respondents’ willingness to use public cloud, at 48 percent of responses.
Big Data: 51 percent of respondents were planning to store sensitive data within these environments, but few were worried. In spite of this high level of use with sensitive data, only 15 percent regard big-data implementations as presenting a top three risk for loss of sensitive information.
Getting some things right
A number of positive results indicate that healthcare organizations are taking steps in the right direction to recognize and deal with the problem.
- 60 percent are increasing spending to protect sensitive data
- 46 percent, more than any other vertical, plan to invest in data-at-rest defenses this year
- 46 percent are looking to implement data security to follow industry best practices
- Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These includes cloud security gateways (39 percent), Security Event and Information Management (SIEM) systems (36 percent), tokenization (35 percent) and data access monitoring (34 percent)
“With the boom in black market sales of healthcare data, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast,” said Tina Stewart, vice president of marketing for Thales e-Security. “Yet compliance requirements that can’t completely safeguard data continue to be the driver for healthcare industry IT security practices. For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start.”
The research report is available from Thales e-Security and can be found here.
About 451 Research
451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.
About Thales e-Security, a Thales company
Thales e-Security comprehensive high-performance data protection platform helps companies move confidently and quickly. Our seamless and scalable platform is the most effective way to protect data wherever it resides—any file, database and application, in any server environment. Advanced transparent encryption, powerful access controls and centralized key management let organizations encrypt everything efficiently, with minimal disruption. Regardless of content, database or application—whether physical, virtual or in the cloud—Vormetric Data Security enables confidence, speed and trust by encrypting the data that builds business. Vormetric Data Security was recently acquired by Thales Group and is now a Thales company.
About Thales e-Security
Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 62,000 employees in 56 countries, Thales reported sales of €14 billion in 2015. With over 22,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.
Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.
Drawing on its strong cryptographic capabilities, Thales is a global leader in data protection and one of the world leaders in cybersecurity products and solutions for defence, critical infrastructure and telecommunication operators, industrial and financial companies. Covering the entire cybersecurity chain, Thales offers a comprehensive range of services and solutions that includes: cybersecurity consulting and testing, cyber-secured software centric system design / development / integration and certification, provision and through-life management of data protection products and services, secured IT outsourcing and cloud computing solutions, as well as managed security services based on our network of Security Operation Centers in France, the United Kingdom and the Netherlands.
Thales e-Security Media Relations
Thales Media Relations – Security
+33 (0)1 57 77 90 89
Thales e-Security Media Relations
+44 (0)1223 723612