Compliance is king in the healthcare industry. Health technology experts must ensure that medicines are compliant with FDA standards, certify practitioners are appropriately trained and licensed, make sure facilities meet safety standards, and protect patient data – all of which require a compliance standard. Similarly, the implementation of IT security has also taken this compliance-first approach. While verifying systems and practices meet HIPAA is a critical practice, building these systems around compliance standards does not always guarantee that they are secure.
However, guaranteeing security and compliance in any industry is not a simple feat. Compounding the issue, healthcare providers are particularly vulnerable to malicious insiders, identity and insurance information is particularly valuable on medical records, and medical devices are notoriously vulnerable to an attack. Over the past few years, more than 90% of healthcare organizations have reported a breach and 40% have reported more than 5 breaches over the past 2 years. More, in 2014 there was an 82% increase in healthcare data breaches; this was the first time criminal attacks were the number one cause of data breaches in the industry. Even more, 71.3% of the attacks in the healthcare industry were through peer-to-peer computing, including denial of service, man-in-the-middle, worm propagation, rational attacks, and file poisoning. These breaches are estimated to cost the industry $6 billion per year, with a single breach costing more than $2.1 million. But the impact of a healthcare breach in more than just a monetary concern; it interrupts care, presents potential lawsuits, threatens an institution’s reputation, and can diminish patient trust. So how can healthcare organizations work to solve the security problem? To start, organizations should reconsider their approaches to compliance.
David Finn, Health IT Officer with Symantec, recently discussed the shift away from a compliance mentality. Finn detailed the false sense of security implementation in healthcare organizations, where cybersecurity has traditionally been treated as a check box. He noted, “robotic surgery is not actually being performed by robots on patients. Or a medication cabinet isn’t actually dispensing drugs directly to patients – you have to have smart people using these very complicated tools in order to get the outcome you’re trying to achieve.” In defending against cyber threats, the strategy should be no different. Today, executives within healthcare organizations are realizing that security needs broader attention and support. Continuous education, proper training, and using the right tools properly across an organization is key to building a robust security system. Finn poignantly remarked that “the worst thing you can do…is create a false sense of security, because just having a tool isn’t going to protect you.”
Further complicating the compliance approach is the growth of the Internet of Things. With so many mobile and third-party connected devices, ensuring every device – and the network they connect to and through – is compliant becomes a monstrous task. Symantec predicts that there will be 30 billion devices connected by 2020 and “regulation may be forced to catch up to technology in 2016.” In response, health organizations need to make sure there are secure connections between all of these disparate devices, including smartwatches, activity trackers, headsets, tablets, portable dispensers, and more. Once an organization is able to guarantee the security of all the devices connecting to a network, security compliance should fall in place more easily.
Symantec is working with hospitals and healthcare institutions across the country to educate employees about smart technology practices, building a security-first rather than a compliance-first mentality, and to help better lock down systems. For more insight into the challenges of implementing security in the healthcare environment check out this infographic.