Health care sector finds cure for digital attacks elusive

HIPAA compliance alone doesn’t make for the strongest security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As the health care sector struggles with intensifying cyber attacks, security experts say it could take the next decade for robust defenses and effective security policies and procedures to become an industry norm.

That’s great news if you’re a cyber criminal. And it’s the reason high-visibility disclosures of massive data breaches are likely to continue. The latest is the loss of health care records for 10 million people disclosed last week by Excellus BlueCross BlueShield.

“Health care is decades behind on how they manage information,” says Michael Ebert, leader in Healthcare & Life Sciences at consultancy KPMG LLP.

In a recent KPMG survey of 223 health care executives, only 53 percent of providers and 66 percent of payers said they considered themselves ready to defend against a cyber attack.

“This isn’t a three-year fix, it’s a seven- to 10-year evolution,” Ebert says.

More: Three-part series: Targeting the health care sector

The health care sector is an attractive target due to the volume of rich personal data generated in the normal course of business. Complex data management scenarios make security even more challenging.

“The data sharing is 100 percent of the risk,” says Morey Haber, vice president of technology for BeyondTrust, a cybersecurity company that offers privileged account management.

If only a limited number of individuals needed access to personal data to administer health service, the system would be easier to protect, he says. But sensitive information has to be shared widely and quickly. Myriad professionals and suppliers collaborate remotely across multiple locations.

“This becomes an exponentially more difficult situation to deal with when it comes to security access to health care records and the various tools and systems that are in place,” says Travis Greene, identity solutions strategist for NetIQ, the security portfolio of Micro Focus.

An added challenge is that many of those tools and systems are outdated. And even the newer technology was built with security as an afterthought, experts say. The same is true of processes that are in place to secure the information.

Priority isn’t put on security

Business operations are “focused on functionality and on saving patients’ lives,” Ebert says. “They’re not necessarily focused on the storage of information.”

For half of the providers who responded to the KPMG survey, regulatory enforcement was a top concern, above financial loss or reputation.

Haber says that too many health care organizations are satisfied with simply being compliant with regulations such as HIPAA, which should be viewed as a minimum framework.

In the financial services and retail sectors, competition is forcing an emphasis on cybersecurity. Conveying a highly trustworthy reputation has become a differentiator. Consumers are proving to be less inclined to do business with a company that’s been compromised.

But the way the health care system is structured in the United States, Greene says, there’s not a lot of shopping going on for the lowest cost or most trustworthy provider.

“There’s no incentive for them to implement new technologies and securities around technology,” he says.

Michael Ebert, KPMG Healthcare & Life Sciences Cyber Practice leader
Michael Ebert, KPMG Healthcare & Life Sciences Cyber Practice leader

Even if competition were tougher, Ebert isn’t convinced that consumers would change their habits en masse. They are searching for the best care, perhaps life-saving care, and are less concerned with issues like breaches.

“I don’t think consumer patterns will necessarily change in health care because your relationship with your doctor is completely different from your relationship with your credit card,” he says.

Industry waking up to risks

The health care industry isn’t completely ignoring cyber threats. Ebert notes that two years ago, he hardly did any cybersecurity presentations and presently he delivers several board-level pitches a month.

He says senior decision-makers are “frustrated because the answer isn’t that I can fix this tomorrow. The answer is not a technology, but a people solution—you’ve got to change how the people and the processes operate,” he says.

Still, many organizations also are focusing on technology, an area that’s been historically underinvested.

Haber, for example, says he is seeing a growing movement around privileged access management. But, he says, it would take a lot more major breaches for other health care organizations to take note—breaches like Ashley Madison.

“If you have a company that crashes and burns due to something like this, other executives wake up,” he says.

Greene says it’s especially tough for providers to invest in new technology for security when they could be investing in life-saving equipment. He says the industry need to look at costs more broadly, including the costs to individuals whose information is stolen.

“I think as health care organizations mature, they’re going to realize that good security practices result in compliance, but compliance doesn’t necessarily result in good security practices,” he says. “It’s a learning curve, and we’re just not there yet.”

More on health care security:
Cloud use increases data security risk for health care organizations
Health care sector not doing enough to protect patient data
Will China use Anthem hack to jump start domestic health care?
Healthcare, banking companies issue easily spoofed emails