hales announces the results of its 2019 Thales Data Threat Report – Healthcare Edition revealing that 70% of U.S. healthcare organizations surveyed experienced a data breach, with a third reporting one in the last year alone. This is the greatest rate of any industry studied by Thales in conjunction with research and analysis firm IDC. In addition, 80% of healthcare organizations place sensitive data in the cloud. The report underscores the importance of putting new security strategies in place as healthcare data is highly targeted because of the value it has for cybercriminals.
“Our 2019 Data Threat Report – Healthcare Edition provides very clear evidence that sensitive patient information is at risk in the face of rapid cloud adoption with encryption rates being far too low in the healthcare industry,” said Tina Stewart, vice president market strategy for cloud protection and licensing activity at Thales. “Data security is increasingly complex, particularly for healthcare organizations immersed in cloud and digital transformation initiatives. The focus should be to encrypt everything in the cloud and keep control of the data by centrally managing the keys to the encrypted data.”
Majority of Healthcare Organizations Fail to Encrypt Everything in Digital Transformation Initiatives
According to the report, 100% of healthcare organizations – more than any other industry– are collecting, storing and sharing sensitive data within digital transformation technologies while 38% or less are encrypting data in these environments. Unlike other industries, healthcare organizations face a broad and ever-expanding threat surface due to the sheer volume of personally identifiable information.
While digital transformation technologies are making it easier for critical patient information to be shared among medical partners who play a key role in patient care, the difficulty to secure data has increased due to the growth of cloud environments. Compounding this challenge, the report reveals IT security spending is tapering off, leaving limited resources for safeguarding new environments in addition to legacy systems.
“When sensitive patient information is breached, it poses significantly longer-term risks compared to other sectors – sometimes indefinitely,” said Frank Dickson, program vice president for security products research, IDC. “Healthcare data is especially attractive to hackers because it’s far more valuable than other kinds of data that can be accessed and exploited. When healthcare data is stolen, damage cannot be fully mitigated. A credit card can be cancelled or a bank account can be closed, but private patient data circulates endlessly which opens opportunities for various types of fraud to occur again and again from a single breach.”
The Reality of the Multi-Cloud Healthcare Provider
The report found that healthcare providers continue to move to multi-cloud environments as part of their digital transformation efforts with 80% of respondents using sensitive data in the cloud. Specifically, 61% of respondents have 26 or more Software-as-a-Service (SaaS) applications, and nearly half (47%) have three or more Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) applications. Multi-cloud environments, according to those surveyed, make the job of protecting data challenging as 46% rated complexity as the top barrier to deploying data security.
Healthcare Institutions are Failing Compliance Audits
Though federal regulations governing healthcare organizations impose significant penalties for noncompliance, the report reveals data security compliance failures are on the rise. At least 25% of respondents failed data security compliance audits in the past year. In particular, healthcare providers signaled concerns meeting compliance mandates for key use cases such as cloud, big data and containers, and 62% plan to use encryption and tokenization to address these requirements. With 90% indicating they will be affected by data privacy or sovereignty regulations, IDC recommends healthcare organizations pursue a shared security model between themselves and their cloud providers. Otherwise, without sufficient flexibility built into their technologies to handle new regulation requirements when they occur, non-compliance issues will continue.
Key IDC Recommendations to Help Mitigate Risk
As guardians of sensitive patient data and with stringent penalties for noncompliance, IT professionals must make encryption, management of keys and access management (including strong or two-factor authentication) paramount to healthcare organizations. In the report, IDC recommends the following four key takeaways for reducing risks to sensitive healthcare data:
- ocus on all threat vectors;
- Invest in modern, hybrid and multi-cloud-based data security solutions that scale to modern architectures;
- Prioritize compliance issues; and,
- Adopt new data security strategies, including encryption and access management.