- External hackers top the list of data security vulnerabilities at U.S. healthcare organizations with good reason: 80 percent admit that their IT systems have already been compromised by cyber-attacks. Further analysis shows the healthcare sector falling short in efforts to manage and track incidents.
A KPMG survey of 223 healthcare executives at provider and payer organizations revealed those findings. All surveyed organizations had revenues of at least $500 million, and 70 percent had revenues in excess of $1 billion.
Aside from the direct hacker threat, respondents are also worried about security exposures in the areas of data-sharing with third parties, employee breaches or theft of data, wireless computing and data inadequately protected by firewalls.
Respondents say their top information security concerns are malware infecting systems and HIPAA violations that compromise patient privacy.
At the core of the risk, according to KPMG, is the “richness and uniqueness of information that health plans, doctors, hospitals and other providers handle. Apart from typical financial fraud, there is also the possibility of medical insurance fraud, or, in the case of providers, attacks on computer-controlled medical devices.” Given the elevated threat potential and increased value of compromised data on the black market, cyber-attacks are becoming more sophisticated and well funded,
“The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, KPMG partner and the firm’s Cyber Practice leader for healthcare.
Case in point: Only 13 percent of survey respondents reported tracking known cyber-attack breach attempts at a frequency of more than once daily. The largest group — 44 percent — said they attempted to track cyber threats less than 50 times in the last 12 months.
“Mature incident and vulnerability management processes are lacking in most organizations, and thus, daily threats aren’t even reported or managed effectively by many organizations,” the report says.
In addition, any organizations are likely underreporting security threats, according to KPMG. Twenty-five percent of respondents don’t have, or are unaware of, their capabilities to detect in real time whether their systems are being compromised.
And while more than 85 percent of respondent organizations report investments in information security during the past 12 months, most areas are not adequately protected. At the high end, 70 percent rate IT compliance and risk management as adequately protected, compared to just 35 percent at the low end for management of vendor security risks.
The discrepancy is “the direct result of an ad hoc approach to building security into the networks, which boils down to uncoordinated buying,” the report states.
As such, KPMG recommends a fresh look at information security in the following areas:
- Cyber security should be incorporated into the organization’s technology and network architecture upfront, via strategic design.
- An executive should be appointed to take sole responsibility for cyber security, equipped with capabilities for instant monitoring.
- Board members should be conversant in security measures and able to advise management accordingly.
- Organizations must recognize the inherent risk of working with multiple third parties and identify the risks that need to be remediated.
These measures will help organizations minimize the risks that naturally come with interconnected data.