The Future of Securing Patient Data: How the Health Industry is Addressing the Healthcare Cybersecurity Skills Shortage
The cybersecurity skills gap will reach 1.8 million by 2022, according to the Global Information Security Workforce Study. The healthcare industry specifically plans to increase their workforce by 20 percent or more, which is higher than any other industry surveyed. This growing demand for information security staff reflects the grim healthcare cybersecurity environment. Information security professionals understand that it’s not “if” your organization will experience a cyber attack, but rather “when.”
Healthcare is a Target
So, what’s fueling the pressing demand for healthcare cybersecurity professionals? It’s the industry most targeted by cybercriminals. In 2017, the Department of Health and Humans services reported a total of 140 data breach incidents categorized by IT/hacking, representing a 23.89 percent increase over the 113 IT/hacking incidents published in 2016.
Ransomware was a large contributor to these attack numbers as we witnessed Petya and WannaCry wreak havoc on healthcare organizations around the globe. In addition to ransomware attacks, healthcare is targeted by fraudsters due to the high desirability of patient data. Patient data fuels false billing involving Medicare, and Medicaid, and this fraud industry costs taxpayers nearly $100 billion per year according to the U.S. Department of Justice. Employees and insiders are increasingly coaxed into accessing sensitive data to sell on the dark web or commit fraud.
In fact, 60 percent of all cybersecurity attacks are caused by employees inside an organization according to IBM. This creates great difficulty for privacy and security staff trying to get a handle on security incidents and breaches.
In addition to the desirability of patient data for fraudsters, the healthcare industry faces additional challenges that contribute to the security and privacy workload:
- Outdated Systems: Because of stressed finances, hospitals may have proprietary or outdated systems that are more difficult to secure than more modern systems
- Complex workflows: Healthcare organizations depend upon complex workflows for clinical, revenue cycle and business operations. These workflows cover multiple applications and users and pose privacy and security challenges
- Large volumes of data: Health systems hold large volumes of confidential data including demographic, financial, clinical, and increasingly, genomic data
- Shadow IT: These shadow systems, used outside of explicit organizational approval and knowledge, often lack security controls and put the organization at increased risk
- Heavy Regulatory Burden: Healthcare is a heavily regulated industry with compliance obligations to bodies like HIPAA/HITECH, PCI, FERPA, SOX, JCAHO, Meaningful Use, FDA, and others (Request your regulatory mapping guide: Here)
- Mergers and Acquisitions: As cybersecurity thought leader Bruce Schneier noted: “The worst enemy of security is complexity.” The growing merger and acquisition activity in healthcare heightens complexity by introducing new systems, users, workflows etc. that security and privacy staff must analyze and secure. It’s essential that security and privacy be robust in healthcare, and Chief Privacy and Security Officers are struggling to hire healthcare cybersecurity staff. As a result, they are afforded little time to develop and mature their privacy and security programs to defend against the growing threat vectors.
Turning to Managed Security Services
Healthcare organizations are increasingly turning to managed security services such as Imprivata FairWarning’s Managed Privacy Services to mitigate risk and tackle the healthcare cybersecurity skills shortage. Managed security services provide outsourced monitoring and management of accounts, devices, and systems. Below are the key reasons why healthcare organizations are adopting managed security services:
- Hiring and retaining healthcare cybersecurity staff can be difficult: Due to budget restraints on salaries and training and competition among industries, hiring and retaining trained healthcare cybersecurity staff is a difficult task
- Managed Security Services is scalable: Securing ePHI is a robust task due to mergers and acquisitions, cloud services, and shadow IT. Having scalable security is imperative to protect the vast and growing footprint of ePHI in healthcare
- Organizations need to be proactive versus reactive about preventing cyber threats: Cybersecurity threats are evolving at a rapid pace, so a proactive approach to security is necessary to secure ePHI in 2018 and beyond. Working with managed security services allows for monitoring and alerting proactively to address security threats to prevent them from becoming full-blown breaches
- It’s not “if” you will be breached but “when”: In today’s cyber threat environment, every organization should have a well thought out breach response plan. Partnering with a managed security service provider allows the benefit of combined experience in dealing with security incidents and breaches
- It makes budgeting easier for IT and security leaders: Managed security services is often a one-year or a three-year contract, eliminating the variable costs of in-house monitoring
Within two to three months using Imprivata FairWarning Managed Privacy Services, we saw a huge reduction in improper access.
Take Back Control of Your Time
The healthcare industry will continue to face severe challenges to secure patient data. However, security and privacy professionals are utilizing managed security services such as Imprivata FairWarning’s Managed Privacy Services to better secure patient information and save valuable time. As a result, they’re evolving a proactive approach to security and privacy and developing state of the art programs that can secure patient data in the age of advanced threats.
Click Here to Learn More About Imprivata FairWarning’s Managed Privacy Services