Healthcare Organizations Plan Increase Cyber-Security Spend
February 23, 2017
percent of U.S. healthcare organizations and 76% of global healthcare
organizations will increase information security spending in 2017. These
numbers are reflective of an industry undergoing rapid technological and
social change in the form of electronic health records and increasingly
digitized personal health data.
The Double-Edged Sword of Digitization
In the U.S., government regulations such as the HITECH Act’s Electronic
Patient Care Reporting (ePCR) requirements are driving healthcare
organizations to digitize their data. While this digitization creates
efficiency, it comes at a hefty price: individual healthcare data is
exposed to more people, in more places and on more devices, including
smartphones, laptops and increasingly, Internet of Things (IoT) devices.
Despite the risks that come from increased access points, 60% of U.S.
healthcare respondents reported their organization were deploying to
cloud, big data, and IoT or container environments without adequate data
security controls. The healthcare industry is also adopting some of
these technologies for sensitive data use wholesale, with 69% of U.S.
respondents leveraging SaaS, 59% big data, 46% mobile and 35% IoT
environments. These numbers may explain why 90% of U.S. healthcare
respondents feel vulnerable to data threats and why cybersecurity
spending increases by U.S. healthcare companies leads that of all other
vertical markets surveyed, including the government and financial
Compliance Playing Location-Dependent Role
Compliance requirements also drive data security decision-making in U.S.
healthcare, with 57% of respondents listing it as the top spending
impetus. But, compliance ranks near the very bottom of spending drivers
among global healthcare respondents. Instead, the top two motivations
for security spending are “preventing data breaches” (39%) and
“protecting reputation and brand” (also 39%). These findings further
underscore the differences between the United States’ privately focused
healthcare system, and its emphasis on regulations like HIPAA-HITECH,
EPCS and others versus areas of the world where healthcare is less
regulated or primarily government-operated.
Encryption Playing Larger Role in Healthcare Data Protection
Across the board, encryption is the technology of choice when it comes
to protecting sensitive data residing within cloud, IoT and container
environments. Sixty-five percent of U.S. healthcare respondents and 58%
of global healthcare respondents opt to encrypt data in the public
cloud, with the survey yielding similar numbers for IoT data (59% U.S.;
58% global) and container data (58% U.S.; 60% global).
Data sovereignty, a hot topic in light of concerns about new privacy
regulations and government snooping, is also spurring encryption
adoption. The technology is the clear choice for satisfying local data
privacy laws such as the EU’s General Data Protection Regulation (GDPR)
by 66% of global healthcare respondents.
Despite the healthcare industry’s growing interest in encryption, many
organizations remain stubbornly focused on network and endpoint
security. Network security is still the top choice for U.S. healthcare
spending by a wide margin (69%), compared to 53% of global respondents.
Endpoint security, at 61%, isn’t far behind. While network and endpoint
technologies are a required element of an organization’s IT security
stance, they are increasingly less effective at keep external attacks at
bay, and in securing cloud, big data, IoT and container deployments –
which result in data being distributed, processed and stored outside
corporate network boundaries.
Peter Galvin, VP of strategy, Thales e-Security says: “Globally and in
the U.S., healthcare companies are under pressure. In Europe, we see
data sovereignty’s impact on security decision-making. In the U.S.,
digital innovation is transforming the way patient information is
created, shared or stored.. For healthcare data to remain safe from
cyber exploitation, encryption strategies need to move beyond laptops
and desktops to reflect a world of internet-connected heart-rate
monitors, implantable defibrillators and insulin pumps. Adhering to the
security status quo will create vulnerabilities that lead to breaches,
and further erode customer trust.”
organizations interested in improving their overall security postures
should strongly consider:
•Deploying security tool sets that offer services-based deployments,
platforms and automation
•Discovering and classifying the location of sensitive data,
particularly within IoT and container environments
•Leveraging encryption and “Bring Your Own Key” (BYOK) technologies for
the cloud and other advanced environments