Healthcare Data is the Next Vulnerable Target for Hackers

Another day, another hack. And not just any old hacking incident, but one involving yet another healthcare provider, only demonstrating how vulnerable the industry is.  In the case of the recent Excellus breach, initial investigation reports are putting hackers in their network for over a year and a half.

The breach was uncovered as part of a routine security assessment, but I have one question.  When was the last time an assessment was performed if hackers remained in their network for 20 months before being discovered?  Even organizations without the most sophisticated security programs are doing routine assessments or pen tests on at least a quarterly basis.

It is no surprise that healthcare organizations accounted for the most data breaches in the first half of 2015, according to a new report.  First, the industry in general was a late adopter to digital, mobile and cloud technologies with the advent of electronic health records in just the last five years.  The industry was mandated to roll these technologies out quickly, which didn’t allow a lot of time for information security discussions.

Second, health data was never considered a lucrative target.  But while financial information such as credit cards have become less valuable in the black market, the asking price for a full personal health record has skyrocketed.

Finally, information security investment in the healthcare industry has been among the lowest, accounting for only about 3% of overall IT spend.  Experts from leading healthcare associations such as HIMSS have stated that spend should be at least 10% of overall information technology budgets.

As is typical, it takes a few major data breaches to open the eyes of an industry, get them to respond, and take information security seriously.  But the healthcare industry has a lot of catching up to do.  Many organizations are just beginning to build out their security infrastructure in areas such as vulnerability risk management, authentication, and identity and access management.

In my role as a consumer, I don’t want to believe that health insurers and providers don’t care about protecting my personal information.  But I’m left to wonder if that is not even just partially true.  In the case of my bank or favorite retailer, they know the damage it can cause to their brand when customers are moving their money to the credit union down the street or shopping at a different store.  In the case of healthcare services, it’s not so easy to just change insurers as it is often through an employer and open enrollment is only once a year.  It’s an interesting perspective.