Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention

A recent survey conducted by 451 Research on behalf of security firm Vormetric indicates 96% of IT managers expect their organizations to be attacked by cybercriminals.

The survey was conducted on 1,100 IT managers including over 100 working in healthcare organizations. One in five organizations have experienced a data breach in the past 12 months, while 63% of respondents said they have experienced a data breach in the past.

Even though the threat of a data breach is considerable, a majority of healthcare IT managers say their organizations are prioritizing compliance over data breach prevention. 61% of healthcare IT managers said compliance was their main priority, compared to just 40% that said it was data breach prevention. Other priorities were preventing reputation and brand damage and implementing security best practices, rated as the main priorities by 49% and 46% of respondents respectively.

More than Two Thirds of Respondents Said Achieving Compliance Was an Effective Way of Protecting Data


69% of healthcare IT managers said achieving compliance with EPCS, FDA CFR Title 21, HIPAA and PCI DSS was an extremely or very effective way to protect data and prevent breaches.

HIPAA requires healthcare organizations to implement administrative, physical, and technical safeguards to protect ePHI; however, in the report it is explained that compliance is only one aspect of data security. 451 Research senior analyst Garrett Bekker pointed out that many HIPAA-compliant healthcare organizations have still experienced PHI breaches. Compliance with HIPAA is important and will go some way toward preventing breaches of sensitive data, but the legislation only sets minimum standards for data security.

It is not surprising that healthcare organizations are making compliance a priority, especially with the second round of compliance audits taking place this year. However, if data breaches are to be prevented, far greater cybersecurity protections need to be put in place.

When asked about the barriers that are preventing the adoption of better data security protections, 54% of respondents said the main problem was the complexity of the task. 38% of respondents said a lack of staff was preventing better protections from being put in place. The researchers point out that complexity was certainly a problem in the past, although modern data security solutions are easier to deploy and lack many of the maintenance problems that respondents are familiar with.

The report indicates that healthcare organizations are favoring investment in traditional defenses to protect data from attack and are implementing technologies to improve endpoint and network security defenses. Bekker points out that these technologies do little to protect data if the perimeter is breached and suggests that more should be done to protect data at rest.

49% of respondents said they have increased spending on network defenses, and 79% of respondents said network defenses were extremely or very effective at protecting data. Endpoint and mobile defenses were rated as very or extremely effective at protecting mobile devices from attack, but less than half of respondents said they were increasing spending on measures to protect data-at-rest.

The report indicates that 38% of healthcare organizations are planning to store data in IoT environments, although 37% said they were concerned about privacy violations occurring as a result of IoT environments, while 36% were concerned about protecting IoT data.

Healthcare organizations are increasingly using the cloud to store sensitive data, although there is considerable concern about data security. 74% of respondents said they were concerned about privileged user abuse at the cloud level, 72% were concerned about meeting compliance requirements related to cloud storage, and 69% were concerned about security breaches at the cloud user level.

In spite of security concerns around half of respondents said they were planning to use SaaS environments (48%), while 53% were planning to use IaaS and PaaS resources in the next 12 months. 51% of respondents said they were planning on storing sensitive data in these environments.

The 2016 Vormetric Data Threat Report can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.