A recent Ponemon Institute study, State of Data Centric Security, gauged how 1,587 Global IT and IT security practitioners across 16 countries view today’s threat landscape and what their biggest concerns are.
While the findings mainly aren’t limited to healthcare (9 percent of respondents were health and pharmaceutical), the results help offer insight as what types of security needs other industries are focusing on. For instance, 57 percent of respondents said the uncertainty of the location of sensitive data is more of a concern to them than a potential hacker or malicious employee. An example of this fear in healthcare was news that Medtronic had to deal hackers from Asia, who were not able to steal any patient data, but it was unable to locate some patient records after hackers were able to access its diabetes unit network.
For purposes of this research, data centric security assigns a data security policy at creation and follows the data wherever it gets replicated, copied or integrated—independent of technology platform, geography or hosting platform. Data centric security includes technologies such as data masking, encryption, tokenization and database activity monitoring.
A mere 16 percent of respondents said they know where all sensitive structured data is located, and even less (7 percent) know where unstructured data is. Part of the issue is access control, as 19 percent say their organizations use centralized access control management and entitlements and 14 percent use file system and access audits. Moreover, 60 percent of respondents are not using automated solutions to locate sensitive data.
About 40 percent of respondents said they use automated solutions, and 64 percent of those respondents use it for discovering where sensitive or confidential data are located in databases and enterprise applications. Additionally, 22 percent use it to discover data in files and emails and another 51 percent said migration to new mobile platforms is a concern.
Some of these apprehensions regarding “finding the data” line up with what healthcare IT experts have told HealthITSecurity.com lately. Specially, a critical aspect of conducting a risk analysis is having a strong understanding of where the data is and being able to organize it between structured and unstructured information. Once it’s located and quantified the data, the organization can determine the best ways to secure the information. As referenced above, automation technologies may be a way toward efficiently locating that data.