92 percent of healthcare IT decision makers reported that their organizations are either somewhat or more vulnerable to insider threats, and 49 percent felt very or extremely vulnerable.
Additionally, 62 percent of respondents identified privileged users – those who have access to all resources available from systems they manage – as the most dangerous insider. Partners with internal access and contractors ranked second and third, respectively.
The survey was conducted by Harris Poll in fall 2014 and included responses from 102 IT decision makers (ITDMs) in U.S. healthcare organizations, as well as 818 total ITDMs in the U.S., U.K., Germany, Japan and the ASEAN region. The healthcare research brief extends earlier findings in the global report, retail and financial research briefs, cloud and big data edition, and the Japan and ASEAN edition with details on the impact of insider threats to the U.S. healthcare industry.
Healthcare data has become highly desirable to bad actors, and much more valuable than credit card information, with healthcare records selling for tens to hundreds of dollars, while U.S. credit card records sell for 50 cents or less. The enormous detail available in patient records is the reason for this, making it possible for criminals to not only apply for credit cards or loans, but to generate large sums from fraudulent medical charges, or even to compromise a patient’s existing financial accounts.
The survey results indicate that data protection in healthcare organizations is driven largely by compliance requirements – 54 percent reported compliance requirements as the top reason for protecting sensitive data, and 68 percent rated compliance as very or extremely effective at stopping insider threats and data breaches. Unfortunately, compliance standards evolve slowly, often with years between revisions. Threats to data however, change quickly as new vulnerabilities are found and new attacks are developed. The result is that meeting compliance requirements is no longer enough to protect sensitive data.
With the combination of healthcare data becoming a very attractive target, and a high regard for compliance as an effective defense, it isn’t surprising that 26 percent of healthcare respondents reported that their organization had previously experienced a data breach. The fact that 48 percent reported that in the last year their organization had failed a compliance audit or encountered a data breach is also troubling, indicating possible problems with meeting even base-level compliance.
63 percent of healthcare IT decision makers report that their organizations are planning to increase spending to offset data threats, the highest of any segment or region measured. When reporting their IT spending priorities, the top drivers were:
- Data breach prevention at 53 percent
- Fulfilling compliance requirements and passing audits at 39 percent
- Protection of financial and other assets at 38 percent.
Respondents to the survey also identified the greatest planned spending investments in data-at-rest defenses (46 percent) and analysis/correlation tools (45 percent).
“Healthcare data has become one of the most desirable commodities for sale on black market sites, yet U.S. healthcare organizations are failing to secure that data,” said Alan Kessler, CEO of Vormetric. “An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk. What’s needed is for healthcare organization to realize that compliance is not enough, and to implement the controls and policies required to put the security of their data first.”