weerapat1003 - Fotolia

Most healthcare organisations have been breached, report shows

 Less than a third of global healthcare organisations remain untouched, as data breaches rise across the industry, a report reveals

Only 30% of global healthcare organisations have not been hit by a data breach, according to the 2018 Thales healthcare data threat report, issued in partnership with 451 Research.

Out of the 70% that have been breached so far, the report reveals 36% have been breached in the past year alone, and that as result 55% of respondents feel “very” or “extremely” vulnerable to data breaches.

According to the report, while digital transformation is enabling better healthcare through increased efficiency at lower cost, at the same time it is introducing more security risks through the use of cloud, big data, internet of things (IoT) and containers to create, manage and store data.

Most (93%) of global respondents reported using these technologies with sensitive data, but the report notes that with each new technology comes unique data security challenges that must be addressed, as they increase the attack surface available to cyber criminals.

The report found that all global respondents are using cloud technologies, with 54% using three or more cloud suppliers for infrastructure (IaaS) rather than having it on site, 33% using more than 50 cloud-based software applications (SaaS), and 54% using three or more cloud-based platforms (PaaS).

Almost all (99%) of global respondents are using big data, 94% are working on or using mobile payments, and 94% have a blockchain project implemented or are in the process of implementing one. At the same time, 96% are using IoT technologies, which may include internet-connected heart-rate monitors, implantable defibrillators and insulin pumps.

The Thales report comes just days after a report by IoT security firm ZingBox revealed that imaging systems are the biggest cyber security risk in the healthcare sector, responsible for 51% of all security issues reviewed in a year-long study at more than 50 healthcare locations.  

As a result of this move to new technologies, the Thales report said healthcare organisations have emerged as a prime target for hackers, putting valuable medical data at risk.

While a stolen credit card has a time-limited value, the report said personal health information (PHI) and electronic medical records (EMR) are packed with immutable data that is sold on illegal online markets.

Compliance debate

Compliance is playing larger role in influencing global healthcare security attitudes, the report found. Past global healthcare reports have shown the US to place more of an emphasis on compliance, compared with global counterparts. This is primarily driven by a privately focused healthcare system, which contends with a complex web of regulations and standards, the report said.

The effectiveness of a compliance-based strategy is debatable, the report said, with 77% of US healthcare respondents reporting at least one breach at some time in the past, making it the most breached among all US verticals polled in this year’s report. 

Despite US struggles, the report said 64% of global healthcare respondents still believe compliance requirements are “very” or “extremely” effective at preventing data breaches, with compliance ranking first among global healthcare respondents as a driver of security spending (51%), higher than any other sector and higher than the US (44%).

Puzzling stance on data-at-rest security tools

While 83% of global healthcare respondents plan to increase spending on security, the survey shows that only 40% of global respondents are increasing spending for data-at-rest security tools. This stance is puzzling, the report said in the light of other findings of the survey.

For example, encryption is the top choice for complying with privacy regulations (36%) for global respondents, and 76% of global healthcare respondents also ranked data-at-rest defenses such as encryption or tokenisation as the number one tool for protecting data tied with data-in-motion defences.

Peter Galvin, chief strategy officer at Thales e-Security, said when it comes to data security, the global healthcare industry is increasingly under duress, which is why some of this year’s findings are so counter-intuitive.

“For example, 63% of global respondents are investing money in endpoint security, even though it offers little help in protecting data once perimeters have been breached.

“Data security spending needs to match healthcare’s reality – which is that of an industry embracing digitally transformative technologies – in the form of investments in encryption systems offering protection to known and unknown sensitive data that has moved beyond the traditional four walls of the healthcare environment,” he said.

The report recommends that healthcare organisations should re-prioritise their security toolset; discover and classify all data; move beyond compliance and adopt security tools such as authentication and encryption; and ensure encryption and access control on all cloud, big data, IoT and mobile environments.

Read more about cyber security in healthcare

  • Five tips to improve cyber security in the health sector.
  • Imaging systems biggest security risk in healthcare.
  • NHS data security: Lessons to be learned
  • NHS Digital aims to put healthcare on firm cyber security footing.

Read more on Hackers and cybercrime prevention