- A recent report released by software vendor IS Decisions, The Insider Threat Security Manifesto, took an international, cross-sector look at the current state of IT security, but there were healthcare information security findings of note as well.
Report respondents included 250 IT decision makers from the U.S. and 250 IT decision makers from the UK and, according to the results, healthcare suffered double the average amount of internal security breaches compared to the rest of the industries part of the report. Specific to U.S. respondents, 82 percent said they were HIPAA compliant, 7 percent said they were not, and 11 percent didn’t know.
Healthcare’s biggest concerns revolved around insider threats, as 30 percent of respondents saying that they were in their top three security priorities (compared to 21 percent in other industries). And they have less funding available than their cross-industry peers, with 12 percent of healthcare budgets being dedicated to security, while other industries average 15 percent.
Additionally, password sharing may be at the heart of internal security fears. The report indicated that 30 percent of internal healthcare employees share passwords, so it makes sense that 16 percent of healthcare IT pros are more concerned about internal threats than external threats, compared to 7 percent for other industries. Also factoring into the equation are new staff hires, as 25% of healthcare IT professionals expressed security doubts about these employees.
François Amigorena, CEO, IS Decisions said, “Against the background of the debates going on in both the US and the UK about patient data, with Obamacare and Care.data, it is worrying to see that the healthcare sector appears to have a particular problem with internal security. Your own employees are the most likely source of a data breach, and it appears that in healthcare that is an even bigger problem than elsewhere. Considering the sensitive nature of patient data, this suggests that there is significant reason for concern.”
The rest of the report looks at (1) whether insider threats sit on the IT security agenda; (2) is awareness of insider threats growing?; (3) password sharing and where the threat lies; (4) Active Directory and insider threats; (5) network management and compliance; and (6) ten steps to beating insider threats.
At a high level, the report’s authors maintained that it’s crucial for each industry to be as up to date as possible with their regulatory requirements and that IT decision makers understand and address them.