BitSight Technology, a security rating firm, reports that the healthcare industry needs to take a lesson from the recent data breaches experienced by Target and eBay. The BitSight report, “Will Healthcare Be the Next Retail?” warrants close attention. It analyzed security breaches and response times of four different industries: Pharmaceuticals and healthcare (healthcare), utilities, retail and finance.
The study was conducted for the year between April 1, 2013, and March 31, 2014. All sectors experienced security incidents. Finance had the fewest incidents and the fastest response time, about three-and-a-half days. Retail and utilities both responded in about four days. Healthcare had more security incidents, yet came in last in response time. It took five full days to respond to security breaches.
The fewest breaches and best response time was in the financial industry. That industry takes cybersecurity very seriously and goes beyond doing what is legally required. It takes extra steps to ensure the security of data. It also readily provides warnings to other industries whenever it becomes aware of potential security threats.
Unfortunately, neither healthcare nor the pharmaceutical industry view cybersecurity as seriously as they need to. Cybersecurity apparently has not received the appropriate attention from executives at the higher levels. Both industries need to spend more money and provide greater compensation for its data security professionals.
The two industries are in compliance with HIPAA regulations, but spend barely enough money to meet the requirements. Unfortunately, just because they are compliant does not mean they are secure.
The Bitsight report is similar to a recent SANS Institute report. That report emphasized that the healthcare industry has lagged far behind in its cybersecurity and warns that measures need to be taken to reduce risks. Breaches have become so frequent that the U.S. Department of Health & Human Services (HHS) is imposing heavy fines for a health care organization that has a compromised Internet-connected device.
The failure to take proper cybersecurity precautions can be expensive as the New York-Presbyterian Hospital recently discovered. HHS imposed a $3.3 million fine on the hospital. This is the largest penalty ever imposed for use of a compromised server in the health care industry.
Last Updated on May 28, 2014