Hospitals are responding to healthcare data security threats, with nearly 29 percent of them targeting facility IT spending toward increased security, according to a recent IDC study.
Over the course of the past year, healthcare data security has been thrust into the spotlight as a result of several large-scale healthcare data breaches such as the Anthem data breach or the Premera Blue Cross data breach. As a response, hospitals are working to adopt better security practices.
According to IDC, facilities of different sizes have varying approaches when prioritizing security measures. While smaller hospitals with between 200 and 499 beds and medium-sized hospitals with between 500 and 999 beds invested in infrastructure and datacenter security equally (48 percent and 47.8 percent, respectively), larger hospitals had other concerns.
Only about 33 percent of larger hospitals with over 1,000 beds reported datacenter and infrastructure security as their top priority. Instead, about 43 percent of large hospitals reported cloud security requirements as their top priority. Only 24 percent of small hospitals and 28 percent of medium hospitals prioritized cloud security in the same way.
Improving monitoring of a healthcare environment for security issues was another top priority for large hospitals, with 42.9 percent of them reporting this as one of their top security investment areas. Thirty-six percent of small hospitals highly prioritized these efforts, and 26 percent of medium hospitals prioritized monitoring the healthcare environment.
As hospitals strengthen their defenses against data breaches, they also grow more comfortable with some of the technology they adopt. This past year saw an increase in providers comfortable with cloud use, with 30 percent of providers reporting comfort in 2014 and a 41.5 percent increase of providers reporting the same in 2015.
That increase could be a result of the increased spending on data security. Because hospitals are investing more in security options, providers might be more at ease using health IT and are less concerned that a data breach could occur.
The security strategies hospitals are investing in are also changing. As healthcare data breaches are sometimes caused by an increasing and more sophisticated set of tactics, security strategies are reportedly also maturing.
Specifically, cybersecurity is growing in popularity, and that growth is expected to continue into this year.
“Cybersecurity is one of the new growth areas in the provider IT budget, and this growth is expected to continue in 2016,” the report’s author, Judy Hanover, wrote. “Threats are top of mind, but the increased availability of resources for IT security is allowing providers to begin to implement strategies to secure data and networks. Top priorities included focusing on security in the cloud, monitoring the environment, and controlling shadow IT.”
It may be a good thing that cybersecurity efforts increased in 2015 and are on a course to continue. In 2015, the top ten largest healthcare data breaches were categorized as “hacking/IT incidents” by the Office of Civil Rights (OCR) breach database.
Furthermore, the three largest breaches – Anthem Inc., Premera Blue Cross, and Excellus – in total affected nearly 100 million individuals.
Of all of the healthcare data breaches in 2015, a massive 98 percent of them were caused by cybersecurity issues, according to a recent Bitglass report. This is an increase from the 68 percent of hacking health data breaches that occurred in 2014.
Although this increase can be credited to the high-profile, large-scale healthcare data breaches that occurred last year, it should be noted that excluding those breaches from the study still yields hacking as the leading cause of breach in 2015.
These rising numbers are why providers are investing so heavily in security, and why several industry stakeholders are advocating for better cybersecurity efforts. Just last week the FDA released a draft guidance on EHR interoperability that heavily emphasized the need for security across interoperable devices.
The FDA draft guide set a standard amongst IT security stakeholders to implement better regulations and requirements.
“Cybersecurity risk management is a shared responsibility among stakeholders,” FDA stated. “FDA seeks to encourage collaboration among stakeholders by clarifying, for those stakeholders is regulates, recommendations associated with mitigating cybersecurity threats to device functionality and device users.”