The Conundrum of Health Care Security Spending

Health care security spending is one of those riddles wrapped in a mystery inside an enigma. Assets such as electronic medical records (EMR), which are ostensibly protected by security solutions, are probably cybercriminals’ most prized purloined item. On the Dark Web, a stolen EMR laden with its immutable data can fetch as much as $350 per individual file because there is so much permanent personal information contained therein. By contrast, stolen credit card data goes for just a few bucks, since its useful shelf life is so short. Once stolen, it is easily replaced.

With so much at stake, why do health care organizations tend to spend so much less on data security than other vertical market sectors? By some estimates, health care organizations spend a paltry 1 to 2 percent on data security, while sectors such as financial services spend many times that. What can be reasonably done to provoke more security spending in the health care sector, where stolen data assets are so valuable and failing to protect those assets can carry very substantial fines?

Why the Low Spending? It’s Complicated

First, let’s look at why security expenditures in health care are so low. As a former oral surgeon, health care consultant and now security strategist, I can tell you the reasons are complicated. But above all else, security has traditionally not been a priority in health care.

A lot of that has to do with the composition of boards that often make security decisions in hospitals. Very often these boards are dominated by physicians for whom security is intangible, whereas they can see clear value in investing in an MRI or new CT scanner. In hospitals, margins are razor thin, and such equipment is very expensive. This doesn’t leave much room for spending on something invisible like data security.

There are other factors as well. For example, vendors of many of the digital devices commonly found in hospitals need to be certified by the U.S. Food and Drug Administration (FDA). They often run on older, less secure operating systems, yet vendors have little incentive to upgrade these devices because that would trigger another round of FDA certifications. If IT were to upgrade these devices — even if that were permitted — it would be costly and cumbersome. Additionally, it would be very difficult for hospital IT teams to even know what is running on some devices.

For ease of use, many hospitals have a flat network topology, with all devices running on this network. Some hospitals even have open Wi-Fi for patient areas running on the same flat, relatively insecure network. Upgrading, again, would be costly and provide few tangible benefits from the clinicians’ standpoint.

Health Care Security More Crucial Than Ever

It is clear that cybercriminals are increasingly targeting hospitals, quite possibly owing to the relative lack of secure systems in the health care industry. Ransomware attacks, in particular, are on the upswing because cybercriminals understand the highly mission-critical nature of real-time data in hospitals today. It’s sometimes simply easier for hospitals to pay the ransom rather than risk using compromised systems for hours or days.

For practical purposes, what can IT departments do to elevate the importance of cybersecurity and provoke some much-needed additional spending to secure sensitive data? The best place to start is with a thorough security assessment. With today’s internal hospital IT staffs stretched to their limits, this is a perfect job for outside experts, and there are plenty of them who specialize in health care security.

In essence, a detailed security assessment will uncover all primary and secondary vulnerabilities and risks. More importantly, a comprehensive evaluation can help IT professionals prioritize risks and create a strategic road map for mitigation going forward, along with associated cost estimates for each step in the process. For a 300-bed hospital, this assessment might run in the $75,000 to $100,000 range, depending on a wide variety of factors.

The experts can then accompany the IT team to the boardroom to present the findings in a clear, unambiguous way. The presentation should include a frank and honest assessment of the highly dynamic threat environment. Experts can also help determine what fixes can be reasonably undertaken by the internal IT staff and which ones might be better off outsourced.

A Measured, Systematic Approach

Suggestions often start with relatively simple remediations, such as improvements to network monitoring. Hospitals typically outsource physical security. Why should elements of data security be any different, with certain aspects offloaded to experts for whom data security is a full-time job? There are many security-as-a-service solutions coming into the market that deserve consideration for securing health care data, and the better ones are fully HIPAA compliant.

The bottom line is that a measured, systematic approach to health care data security is a wise course of action in an environment that has traditionally been spending averse when it comes to security.

Read the complete IBM X-Force Research Report: Security Trends in the Health Care Industry
Share this Article:
Michael Ash

Associate Partner, Security Strategy Risk & Compliance, IBM

With more than 25 years of technical expertise, Dr. Mike Ash has experience in all phases of complex information systems lifecycle and product management. He is currently an Associate Partner in IBM’s Security Strategy Risk and Compliance group. Specializing in healthcare cybersecurity for North America, in both healthcare and pharma. During his career, he has led large-scale network and application development teams leveraging business, clinical, and technical expertise. He has functioned as a Solution Architect and Project Manager for varied IT and software development projects in the U.S. as well as Asia, and EMEA, developing markets in various verticals. He has experience in multiple standards including: NIST, ISO, HIPAA, FISMA, and FedRAMP. Mike leveraged his healthcare and system engineering expertise to solve complex problems in the medical and pharmaceutical space.