Health care security spending is one of those riddles wrapped in a mystery inside an enigma. Assets such as electronic medical records (EMR), which are ostensibly protected by security solutions, are probably cybercriminals’ most prized purloined item. On the Dark Web, a stolen EMR laden with its immutable data can fetch as much as $350 per individual file because there is so much permanent personal information contained therein. By contrast, stolen credit card data goes for just a few bucks, since its useful shelf life is so short. Once stolen, it is easily replaced.

With so much at stake, why do health care organizations tend to spend so much less on data security than other vertical market sectors? By some estimates, health care organizations spend a paltry 1 to 2 percent on data security, while sectors such as financial services spend many times that. What can be reasonably done to provoke more security spending in the health care sector, where stolen data assets are so valuable and failing to protect those assets can carry very substantial fines?

Why the Low Spending? It’s Complicated

First, let’s look at why security expenditures in health care are so low. As a former oral surgeon, health care consultant and now security strategist, I can tell you the reasons are complicated. But above all else, security has traditionally not been a priority in health care.

A lot of that has to do with the composition of boards that often make security decisions in hospitals. Very often these boards are dominated by physicians for whom security is intangible, whereas they can see clear value in investing in an MRI or new CT scanner. In hospitals, margins are razor thin, and such equipment is very expensive. This doesn’t leave much room for spending on something invisible like data security.

There are other factors as well. For example, vendors of many of the digital devices commonly found in hospitals need to be certified by the U.S. Food and Drug Administration (FDA). They often run on older, less secure operating systems, yet vendors have little incentive to upgrade these devices because that would trigger another round of FDA certifications. If IT were to upgrade these devices — even if that were permitted — it would be costly and cumbersome. Additionally, it would be very difficult for hospital IT teams to even know what is running on some devices.

For ease of use, many hospitals have a flat network topology, with all devices running on this network. Some hospitals even have open Wi-Fi for patient areas running on the same flat, relatively insecure network. Upgrading, again, would be costly and provide few tangible benefits from the clinicians’ standpoint.

Health Care Security More Crucial Than Ever

It is clear that cybercriminals are increasingly targeting hospitals, quite possibly owing to the relative lack of secure systems in the health care industry. Ransomware attacks, in particular, are on the upswing because cybercriminals understand the highly mission-critical nature of real-time data in hospitals today. It’s sometimes simply easier for hospitals to pay the ransom rather than risk using compromised systems for hours or days.

For practical purposes, what can IT departments do to elevate the importance of cybersecurity and provoke some much-needed additional spending to secure sensitive data? The best place to start is with a thorough security assessment. With today’s internal hospital IT staffs stretched to their limits, this is a perfect job for outside experts, and there are plenty of them who specialize in health care security.

In essence, a detailed security assessment will uncover all primary and secondary vulnerabilities and risks. More importantly, a comprehensive evaluation can help IT professionals prioritize risks and create a strategic road map for mitigation going forward, along with associated cost estimates for each step in the process. For a 300-bed hospital, this assessment might run in the $75,000 to $100,000 range, depending on a wide variety of factors.

The experts can then accompany the IT team to the boardroom to present the findings in a clear, unambiguous way. The presentation should include a frank and honest assessment of the highly dynamic threat environment. Experts can also help determine what fixes can be reasonably undertaken by the internal IT staff and which ones might be better off outsourced.

A Measured, Systematic Approach

Suggestions often start with relatively simple remediations, such as improvements to network monitoring. Hospitals typically outsource physical security. Why should elements of data security be any different, with certain aspects offloaded to experts for whom data security is a full-time job? There are many security-as-a-service solutions coming into the market that deserve consideration for securing health care data, and the better ones are fully HIPAA compliant.

The bottom line is that a measured, systematic approach to health care data security is a wise course of action in an environment that has traditionally been spending averse when it comes to security.

Read the complete IBM X-Force Research Report: Security Trends in the Health Care Industry

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…