Last week, I had the pleasure to attend the SANS Healthcare Security Summit in San Francisco. It was great to see one of the leading educational and awareness organizations team up with the National Health Information Sharing and Analysis Center (NH-ISAC) to put on this important event. The value of these symposiums cannot be understated. It is critical to find ways to not only virtually share information about the latest threats and attacks on the healthcare sector, but also physically gather to exchange mindshare about best practices and network with peers. These forums are the perfect opportunity to generate and foster communities of interest not only within the healthcare sector, but also within the subcultures of institutions and organizations that may have similar resource constraints, staff skill sets and infrastructure to contend with to protect the sanctity of patient data.
The agenda was populated with very relevant content and industry experts on how to defend against the next generation of targeted attacks against the sector. Content also covered ways to leverage the robust set of security controls as outlined by the SANS institute in their Top 20 Critical Controls. I had the opportunity to sit on a panel of esteemed peers in the security industry. Joshua Corman, CTO of Sonatype; Jukka Alanen, VP of Corporate Strategy for Arxan; Isabelle Dumont, Director, Industry and Vertical Initiatives, Palo Alto Networks; and Kenneth Peterson, CEO, Churchill & Harriman addressed topics and questions ranging from mobile, web application security as well as breach detection concerns across the healthcare sector.
The most recent SANS Healthcare survey indicated that 41 percent of the responders indicated their current breach detection capabilities are insufficient. Growing concern about breach detection makes sense. NSS Labs has taken a look at this market, and it shows no sign of slowing down. They are projecting a 37 percent growth curve for this type of needed capability through 2018. Healthcare may be at the top of the list for this type of need. They also analyzed what solution providers are offering the biggest bang for the buck as far as technology capabilities to incorporate this much-needed transparency in our networks.
Statistics over the last two years have shown that healthcare has suffered the highest number of security breaches. Let’s take a look at what’s happened in healthcare over the past year. It makes for pretty worrying reading for IT and information security professionals working in the industry, not to mention hospital administrators. Independent, non-profit body, the Identity Theft Resource Center’s latest 2014 Data Breach Category Summary found that healthcare accounted for 43 percent of all breaches this year through today. That’s more than any other sector by quite some margin – the next nearest was the business sector, which accounted for 35 percent, followed by government/military with 12 percent. In total, the industry suffered 302 breaches until today, exposing nearly eight million sensitive records.
With all of the transformation and disruption occurring in healthcare since 2008, it is no wonder that the challenges of acquisitions, decentralized infrastructure, eHealth initiatives and shrinking/flat IT/security budgets have taken their toll. This rate of change will not slow down. In fact, its cadence will only continue to grow exponentially. Legacy technology infrastructure has been leveraged to keep mission-critical applications and services running. Support and security patches for these operating systems have not kept pace with attacks being waged against our healthcare ecosystems, thus, creating targets for threat actors and adversaries.
If you care to hear more about the state of information security in healthcare institutions, attend the SANS webcast tomorrow, Dec. 9, at 1 p.m. EST. Register here.