Healthcare security needs a booster shot

A new survey from PricewaterhouseCoopers has found that a majority of health enterprises do not have the security in place, nor the policies, to properly protect patient data and privacy.

In its report, Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground, the advisory firm PwC says health organizations are slipping behind the rapid pace of new technological adoption as there's more data sharing, increased collaboration with partners, as well as the industry's fast embrace of electronic health records, mobile computing and social networks.

None of this is news to readers of CSOonline, as we covered the issues previously in " Digitized medical records are easy prey", and " Is health care security in intensive care?"

The findings are from a U.S.-based PwC Health Research Institute survey of 600 executives from hospitals, physician organizations, health insurers and pharmaceutical and life sciences companies.

In the survey, data theft scored high: In fact, theft of records accounted for 66 percent of reported health data breaches during the previous two years. Also, just over one-third of hospitals and physician groups reported cases of medical identity theft. And 54 percent of health organizations reported at least one issue with information privacy and security over the past two years.

"The increase in thefts doesn't surprise me, because attackers have the tools and smarts necessary to successfully attack these systems and get away with the goods," says Pete Lindstrom, research director at Spire Security. "The industry is exposing the data to the world and making more complex apps, and they're getting hacked as a result."

As one would suspect, commonly it's insider improper use of protected health information, with 40 percent of providers saying that has happened in their organization during the 24 months prior to the survey.

With a peek at the lack of policies healthcare organizations have in place, it doesn't seem too surprising why there are problems with security and privacy. For instance, the survey found that more than half of firms allow access to social networking at work, while only 37 percent incorporate approved uses of mobile devices and social media as part of privacy training.

The survey also found that organizations that try to integrate their privacy and security efforts at least believe that the security of their organization's data has increased in the past year. However, the actual reduction in breaches for their effort has been anemic, from 1.22 average reported breaches in the past two tears to 1.14.

"It's tough to tell if companies are getting the value out of their security investments, with the difference in breached vs. non-breached being so tight," Lindstrom says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags patient informationriskhealthcare insecuritysecurity policieshealth careinsider informationsocial networking securityindustry verticalsdata protectionPricewaterhouseCoopersnetwork securitysecurityHealthcare security

More about PricewaterhouseCoopersPricewaterhouseCoopersSpireSpire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts