81% of U.S. Healthcare Organizations Have Increased Security Spending in 2017

The 2017 Thales data threat report published earlier this week shows the healthcare industry is responding to the increased threat of data breaches and cyberattacks by committing more funds to improving cybersecurity defenses.

After two record breaking years of healthcare data breaches – 2015 in terms of the number of records exposed or stolen, and 2016 in terms of the number of breaches reported – it is clear that the healthcare industry is under attack.

2016 also saw a record number of settlements reached with the Department of Health and Human Services’ Office for Civil Rights. Last year there were 12 HIPAA settlements and one Civil Monetary Penalty issued to resolve HIPAA violations discovered during healthcare data breach investigations.

Healthcare organizations are certainly feeling the heat. In the US, 90% of healthcare organizations feel vulnerable to data threats. There was also a 2% increase in the number of healthcare organizations that experienced a data breach in the past 12 months. 20% said they had a data breach in the past 12 months and 55% of healthcare organizations say they have had a historic data breach.

In the past, the healthcare industry has lagged behind other industry sectors when it comes to cybersecurity. That is now starting to change. Healthcare organizations have responded to the increased threat level by committing more funds to their cybersecurity programs; considerably more this year than other industry sectors.

Last year, only 60% of healthcare organizations increased cybersecurity spending. According to the Thales threat report, 81% of healthcare organizations will be increasing their cybersecurity budgets this year, compared to the overall industry average of 73% and the global healthcare industry average of 76%.

94% of healthcare organizations are now using advanced technologies to protect sensitive data. 61% use SAAS, 50% IAAS, 39% PAAS, 59% use Big Data, 19% use containers, and 5% are now using blockchain.

The biggest spending priorities for healthcare organizations is to comply with industry regulations. 57% of healthcare organizations say their main spending priority is compliance, 40% say it is to prevent data breaches, 34% say it is to adopt best practices, and 27% say spending has increased in response to increased cloud use.

How is the money going to be spent? 69% of healthcare organizations are increasing spending on network security, 61% are investing in endpoint and mobile protection measures, 62% are increasing spending on analysis and corrections, 51% on technologies to protect data in motion, and 47% on technologies to protect data at rest.

92% of healthcare organizations believe network security is very or extremely effective at preventing data breaches – and increase of 14% year on year – while 67% believe endpoint protection is very or extremely effective – an increase of 3% year on year.

Garrett Bekker, Senior analyst at 451 Research points out that healthcare organizations need to think carefully about the technologies they use to keep data secure, “Oorganizations keep spending on the same solutions that worked for them in the past but aren’t necessarily the most effective at stopping modern breaches.” Bekker also said “Spending on securing internal networks from external threats is less and less effective – and relevant – as both the data and the people accessing it are increasingly external.”

When it comes to barriers preventing the adoption of better cybersecurity defenses, 53% said complexity is a major issue. 39% said they lack the staff to manage those defenses, 36% said performance concerns, 33% lack the budget, while 26% said they lacked organizational buy in.

48% of healthcare organizations believe cybercriminals are the main external threats, but internal threats are also a major concern. Privileged users are rated as the biggest internal threat according to 61% of organizations, followed by executive management (46%), contractors (33%) and service providers (26%).

Peter Galvin, VP of strategy, Thales e-Security says “For healthcare data to remain safe from cyber exploitation, security strategies need to move beyond laptops and desktops to encompass an ‘encrypt everything’ approach that best suits a world of internet-connected heart-rate monitors, implantable defibrillators and insulin pumps. Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.