Health care security spending is one of those riddles wrapped in a mystery inside an enigma. Assets such as electronic medical records (EMR), which are ostensibly protected by security solutions, are probably cybercriminals’ most prized purloined item. On the Dark Web, a stolen EMR laden with its immutable data can fetch as much as $350 per individual file because there is so much permanent personal information contained therein. By contrast, stolen credit card data goes for just a few bucks, since its useful shelf life is so short. Once stolen, it is easily replaced.

With so much at stake, why do health care organizations tend to spend so much less on data security than other vertical market sectors? By some estimates, health care organizations spend a paltry 1 to 2 percent on data security, while sectors such as financial services spend many times that. What can be reasonably done to provoke more security spending in the health care sector, where stolen data assets are so valuable and failing to protect those assets can carry very substantial fines?

Why the Low Spending? It’s Complicated

First, let’s look at why security expenditures in health care are so low. As a former oral surgeon, health care consultant and now security strategist, I can tell you the reasons are complicated. But above all else, security has traditionally not been a priority in health care.

A lot of that has to do with the composition of boards that often make security decisions in hospitals. Very often these boards are dominated by physicians for whom security is intangible, whereas they can see clear value in investing in an MRI or new CT scanner. In hospitals, margins are razor thin, and such equipment is very expensive. This doesn’t leave much room for spending on something invisible like data security.

There are other factors as well. For example, vendors of many of the digital devices commonly found in hospitals need to be certified by the U.S. Food and Drug Administration (FDA). They often run on older, less secure operating systems, yet vendors have little incentive to upgrade these devices because that would trigger another round of FDA certifications. If IT were to upgrade these devices — even if that were permitted — it would be costly and cumbersome. Additionally, it would be very difficult for hospital IT teams to even know what is running on some devices.

For ease of use, many hospitals have a flat network topology, with all devices running on this network. Some hospitals even have open Wi-Fi for patient areas running on the same flat, relatively insecure network. Upgrading, again, would be costly and provide few tangible benefits from the clinicians’ standpoint.

Health Care Security More Crucial Than Ever

It is clear that cybercriminals are increasingly targeting hospitals, quite possibly owing to the relative lack of secure systems in the health care industry. Ransomware attacks, in particular, are on the upswing because cybercriminals understand the highly mission-critical nature of real-time data in hospitals today. It’s sometimes simply easier for hospitals to pay the ransom rather than risk using compromised systems for hours or days.

For practical purposes, what can IT departments do to elevate the importance of cybersecurity and provoke some much-needed additional spending to secure sensitive data? The best place to start is with a thorough security assessment. With today’s internal hospital IT staffs stretched to their limits, this is a perfect job for outside experts, and there are plenty of them who specialize in health care security.

In essence, a detailed security assessment will uncover all primary and secondary vulnerabilities and risks. More importantly, a comprehensive evaluation can help IT professionals prioritize risks and create a strategic road map for mitigation going forward, along with associated cost estimates for each step in the process. For a 300-bed hospital, this assessment might run in the $75,000 to $100,000 range, depending on a wide variety of factors.

The experts can then accompany the IT team to the boardroom to present the findings in a clear, unambiguous way. The presentation should include a frank and honest assessment of the highly dynamic threat environment. Experts can also help determine what fixes can be reasonably undertaken by the internal IT staff and which ones might be better off outsourced.

A Measured, Systematic Approach

Suggestions often start with relatively simple remediations, such as improvements to network monitoring. Hospitals typically outsource physical security. Why should elements of data security be any different, with certain aspects offloaded to experts for whom data security is a full-time job? There are many security-as-a-service solutions coming into the market that deserve consideration for securing health care data, and the better ones are fully HIPAA compliant.

The bottom line is that a measured, systematic approach to health care data security is a wise course of action in an environment that has traditionally been spending averse when it comes to security.

Read the complete IBM X-Force Research Report: Security Trends in the Health Care Industry

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…