Healthcare has the lowest-rated security ranking of four major industries — including retail, utilities and finance — according to analysis done by BitSight Technologies. On a scale of 250 to 900, healthcare ended the first quarter of 2014 with a security score of 660 — its highest valuation during the year the study covered, which still is about 100 points lower than the finance industry. Healthcare data breaches shared some dubious patterns with the retail industry, with both markets suffering from a high quantity of security incidents coupled with slow response times. The duration of adverse healthcare security events averaged more than five days.
Chandu Ketkar, technical manager at Cigital, Inc. addressed the security risks facing healthcare in BitSight’s report, saying, “When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks.”
The BitSight report referenced Verizon’s 2014 Data Breach Investigations Report (DBIR), which also revealed some telling statistics about healthcare security. Physical theft and loss of devices accounted for 46% of attacks in healthcare, far and away the highest percentage among all the industries examined in the DBIR. The industry with the second-highest amount of data breaches stemming from device loss and theft came in at 19%. A board member of the National Health Information Sharing and Analysis Center attributed the high percentage of data breaches caused by device theft to the thought that healthcare is more mature than other vertical markets and more reliably reports missing devices.
What can be done to mitigate the damages a data breach can cause, once discovered? The American Health Information Management Association armed providers with tools to prevent breaches by publishing a guide aimed at helping secure protected health information and meet the data breach response requirements laid out by the HIPAA omnibus rule. The guide, titled “Breach Management Toolkit: A Comprehensive Guide for Compliance,” is designed to help healthcare organizations through each step of the data breach discovery process, from investigating the cause through the processes of notifying and reporting it to the appropriate parties.