Data Security Comparison: Healthcare vs. Retail, Finance, and Government
By Robert Lord
Robert Lord is co-founder and CEO of Protenus of Baltimore, MD.
In 2016, the healthcare industry experienced, on average, more than one health data breach per day, and these breaches resulted in 27,314,647 affected patient records. Clearly, criminals are targeting patients’ medical information with great frequency and success.
How has the healthcare industry responded to this continuing epidemic? Data suggests there is still a lot of work for healthcare organizations to do in order to improve the security of their patient data. It’s important to look closely at and analyze how healthcare organizations’ security practices and spending compare to retail, finance, and government — three industries known to have proactively advanced their security posture to protect their sensitive data.
Compared to the retail and finance industries, the state of healthcare data security is sorely lacking. Since 2015, 140 million patient records have been compromised, equating to one in three Americans experiencing their health data being inappropriately accessed. Ransomware attacks hit the healthcare industry especially hard, as 88 percent of all ransomware attacks target a healthcare organization.
Criminals are increasingly targeting healthcare because patients’ medical information is incredibly profitable on the black market and it’s more easily accessible when compared to more protected industries, such as finance. Within the finance industry, if a customer’s credit card or bank account number is stolen, that information can simply be changed, rendering it useless to the criminal. Patient data, on the other hand, is a repository of information that can be used to steal an individual’s identity – Social Security numbers, DOB, and addresses.
When combined with sensitive medical information like diagnoses, claims history, and medications, it can create the perfect storm for wreaking havoc in a patient’s life. This kind of information cannot be easily changed, and because of the lagging security in the healthcare industry, this data is incredibly easy to obtain and increasingly vulnerable to criminals’ sophisticated attacks.
There is no question that when compared to other industries, healthcare falls short when it comes to data security. A 2015 survey found that only 31 percent of healthcare organizations used extensive methods of encryption to protect sensitive data and 20 percent used no encryption at all. Another study found that 58 percent of organizations in the financial sector used encryption extensively. These results are concerning because the information healthcare organizations must protect is far more sensitive and potentially damaging than the information retail and finance organizations gather and protect even though the latter group is more proactive in keeping this information safe.
Retail and financial service organizations have more experience protecting customer data from cyber criminals.This gives them an advantage over healthcare organizations, who are relatively new to the game and whose unique security challenges require specially designed solutions. It’s past time for healthcare organizations to invest substantially in protecting patient data. Sadly, according to KPMG, this has not yet occurred at the necessary scale, as IT security spending in the healthcare industry is just 10 percent of what other industries spend on security.
Incentives exist for healthcare organizations to improve their security posture because the cost of a healthcare breach is significantly higher than in other industries. The average cost per lost or stolen record is $158 across all industries. In the retail sector, the cost is $200 per record lost or stolen. In the financial sector, the cost is $264 per record.
Compare this to the healthcare industry, where the average cost per record lost or stolen is $402, double that of the retail sector. Why are healthcare data breaches so much more expensive? In the aftermath of a breach in a heavily regulated industry like healthcare, the breached organization must conduct a forensics investigation and notify any affected patients. These organizations must also pay any HIPAA fines or penalties incurred because of failure to comply with federal or state regulations. This is in addition to legal fees, lawsuits and most importantly, the long-term brand reputation of the affected organization and lost patient revenue.
However, it’s important to note that healthcare is not the only industry to have fallen behind when it comes to data security. The US government has also struggled to institute effective data security practices. A study by SecurityScoreCard examined the security posture of 600 local, state, and federal government organizations and compared them to other industries. The study found that government organizations had some of the lowest security scores, trailing behind transportation, retail, and healthcare industries. It also found that there were 35 major data breaches of the surveyed organizations from April 2015 to April 2016.
In the summer of 2015, the Office of Personnel Management (OPM) announced that it had suffered a massive data breach. The sensitive information of over 21 million people had been stolen, including fingerprints, Social Security numbers, and sensitive health information. A report from the House Committee on Oversight and Government Reform alleged that poor security practices and inept leadership enabled hackers to steal this enormous amount of sensitive data. OPM immediately began to implement changes aimed at improving their security posture and ensure that such a future massive breach would be prevented. However, one can’t help but consider how much less damage would have been done if OPM had made these changes as a proactive data security measure instead of a reactive one.
While healthcare organizations have had their fair share of data breaches, the OPM breach must serve as a lesson to the industry. Since that incident, the government has prioritized cybersecurity and focused on finding solutions to protect our nation’s sensitive information, data, and assets. Healthcare organizations must follow suit.
Here are five things healthcare organizations can do now to improve their health data security:
- Frame security risk assessments as an ongoing process rather than a once-per-year event, ideally, but at the very least ensure they are done annually.
- Encrypt data stored in portable devices.
- Assess other third-party security risks.
- Proactively monitor patient data for inappropriate access.
- Educate and retrain staff on how to properly handle sensitive data.
Healthcare must make privacy and security top priorities, learning from the past, applying knowledge from other industries, and creating unique solutions specifically designed for the complicated healthcare clinical environment. This will ultimately provide healthcare organizations with the tools to keep sensitive patient information safe, maintain the organization’s brand reputation, and most importantly, increase patient trust.