Recently, I had the opportunity to read “Eye of the Storm – Key findings from the 2012 Global State of Information Security Survey” published by PWC (Pricewaterhouse Coopers). While the study is vendor/technology/industry/geography neutral – it really crystallized the angst that most of our healthcare clients are experiencing. Consider some of the Key Findings detailed in their survey and their applicability to healthcare:
Client requirements and compliance are the greatest drivers to information security change/investment: Between HIPAA/HITECH, EMR meaningful use, and the rise of the Business Associate Agreement – the need to prove security/compliance to key stakeholders (customers, management, and auditors) is escalating rapidly at the same time.
Companies now have greater insights than they’ve ever had into cybercrimes and other incidents: While I (non-strongly) agree with this statement in general, I definitely don’t see this in healthcare. I think my clients in healthcare feel the same way – which leads to that awful feeling of I know what I don’t know. I would argue that most organizations lack effective incident detection mechanisms (especially for Advanced Persistent Threats) and even those that do often have insufficient Incident Response capacity. We have seen a notable increase in the number of forensic investigation we have performed in the health care vertical over the last 9 month period.
One of the most dangerous cyber threats is an Advanced Persistent Threat attack: Generally speaking, more mature Information Security Management Systems are required to prevent and/or detect. The lack of funding/attention paid to HIPAA post its initial release, coupled with the significant and rapid rise in attention, investment, new technology, and its associated risk (e.g., Healthcare Identity Theft) has resulted in rapidly evolving (and hence immature) Information Security Management Systems in many healthcare organizations. Once EMR and mobility initiatives are fully deployed and stabilized I am hoping that we will see a move to the managerial, operational and supporting technical controls (e.g., NAC, SEM, IDM, Security Awareness Training, ISO 27001) necessary to address these type of attacks.
Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse: While this is an issue everywhere, HITECH moved this issue front and center in the Healthcare space. In the complex processes that support patient care and ensuing payments for same, virtually every healthcare organization is reliant on a myriad of third-party vendors for providing key services. Unfortunately, most lack sophisticated enough Vendor Risk Management programs to identify their vendors that require due diligence, determine the extent/rigor of the validation, deliver (or review) the assessments, and govern/monitor the process to manage security incidents and address deviations from contracted security levels. As I’ve noted before, one area that gets “sticky” is “sixth party risk” (managing the risk associated with your vendors’ vendors).
The percentage of CXO’s confident in the effectiveness of their Information Security activities has fallen from 84% to 72% over the last 7 years: My strong suspicion is that the dip in healthcare confidence exceeds that in most industries, with the possible exception of Energy.
Mobile devices and social media represent a significant new line of risk – and defense: The healthcare industry has perhaps the greatest demand for mobility – and hence the greatest challenge. Interestingly, only 37% of the respondents cited that they have a security strategy for mobile devices. We have noted that some of our clients that do have a security strategy for mobile devices have not extended it to address employee use of personal devices.
While the findings regarding “the eye of the storm” were cross industry – it’s clear that many of the most notable findings are current – and significant – pain-points for healthcare information security.
As PWC also points out at the 10,000 foot level the “answer” is easy:
- Alignment with the business
- Customer-centric approach
The challenge is executing at ground level.