Stolen health-care records will command up to 10 times the amount of credit card information on the black market, but cyber-security spending remains scant.
Tech employees working within the health-care industry believe their companies are increasingly being targeted by cyber-criminals, according to a new study from Trustwave, an information security company. At the same time, about half of respondents indicate their organizations are investing 10 percent or less of their IT budget on cyber-security.
"This 10 percent certainly is a number where some people have reported organizations spending less and some people have reported organizations spending more," said Steve Kelley, senior vice president of product and corporate marketing at Trustwave. "There are some very well-known breaches that have occurred out there in health care in the past couple of years and that's one of the reasons why we ran this report. Often, those organizations that have been breached tend to be more vigilant than those who haven't."
Trustwave expects its "Security Health Check Report" to be issued annually in upcoming years to better track security threats and responses within the industry over time, according to Kelley. Nearly 400 full-time professionals from the entire health care ecosystem, including technical (CIOs, IT managers, IT directors) and non-technical employees (doctors, nurses, administrators), participated.
"The most alarming thing about this survey is that it appears that most health care organizations are really ill-prepared for dealing with today's IT security threats," he said. "And, what's very interesting is that we've seen that health-care records will fetch up to 10 times the amount as traditional credit card records on the black market."
In fact, more than 90 percent of IT respondents believe that criminals are increasingly targeting health care organizations. There may be numerous reasons for this, according to Kelley. While many companies lack the funds to hire, maintain and retain IT experts to provide continued security services, other organizations simply are more focused on compliance than security.
"When we work with customers from a compliance or security perspective, we educate them that it's not enough to be compliant," he said. "Really, what you have to think about is how to be secure 24 hours a days, seven days a week, 365 days a year."
This is where a managed security model can be advantageous, he said. Some companies that use this model realize that it can be more affordable, and scalable, compared to paying for the expert costs entirely themselves.
Also, because it's not just tech employees who are dealing with data on a regular basis, security awareness education is key to having strong security defenses, he said.
"Anyone who is communicating with a patient, anyone who is working with patient data … needs to be aware and trained how to be vigilant so that that data is being taken care of properly, and also making sure they are not the weak link in the security process," he said.
Additionally, social engineering has become a factor in cyber-threats. Through this, a criminal might connect to an administrative-type person on a networking site, like LinkedIn, and be able to obtain the names, titles and emails of other people within an organization using that connection.
"What also is interesting with social engineering is that someone's personal computer could be compromised, and all of the activities may look like they are coming from an insider when an outsider is controlling them," he said.
Fortunately, the way organizations are responding to threats and breaches has begun to change in the past few years, he said. Once the dominant model was to stop a breach and protect an organization. Now, with the realization that a breach is more likely to occur than not, more organizations have instituted incident response procedures and policies. However, a quarter of all technical respondents to the survey indicated their organizations had no incident response plan in place in the case of a breach. These plans may better prepare companies to handle breaches.
"When someone is perpetrating one of the crimes, their goal is to get as many of these records and sell them on the market," he said.