Electronic Health Reporter

IDC Health Insights announces a new report, “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations.” that features findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey. The report is designed to gauge how financial services, healthcare provider organizations and retailers are responding to increasing cyber threats and the impact of successful attacks on business operations. The study also highlights how healthcare organizations are investing in their cyber strategy to protect their most valuable electronic assets.

Today’s healthcare organizations are at greater risk of a  cyber attack than ever before in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed in 1996. Cyber criminals view healthcare organizations as a soft target compared to financial services and retailers because historically healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making them more vulnerable to successful cyber attacks.

The value of health information, which can be used to commit medical fraud, is surpassing the value of social security and credit card numbers on the black market, thus increasing the attractiveness of stealing health information.

Key findings include:

• After physical loss or theft of a laptop, mobile or portable device, malicious hacking or IT incident was the most common breach reported on the Department of Health and Human Services (DHHS) website. In 2013, 20 (out of 175) breaches related to hacking or an IT incident represented 9 percent of the individuals affected and 11.4 percent of the attacks.
• All respondents of the 2014 IDC Insights Cross Industry Cyber Threat Survey reported that they had experienced a cyber attack in the past 12 months; 39.4 percent reported that they were attacked more than 10 times and 27.1 percent of the attacks were described as “successful attacks.”
• Security is a top IT initiative for health care providers. In 2014, according to the 2014 IDC Global Technology and Industry Research Organization IT Survey, security and risk management technologies was the number 1 initiative (29.0 percent). In 2013, it was also the top ranked initiative (20.1 percent).
• Approximately one out of four cyber attacks had an impact on normal business operations. The majority of respondents (52.2 percent) indicated that the shortest impact lasted less than an hour and 43.3 percent reported that the longest duration was between eight and 24 hours.
• The overwhelming majority of healthcare executives reported that their spending on cyber threats increased (59.6 percent) or stayed the same (38.3 percent) over the last three years. On average, the increase for those respondents that reported an increase  was 14.8 percent.
• Consumers highly value their privacy according to a recent 2014 IDC Insights Cross-Industry Consumer Experience Survey, but are not as confident that healthcare organizations were adequately protecting their data.  Concerned consumers are willing to end a healthcare relationship after a breach, including changing their care providers (21.6 percent) and changing health plans (5 percent).

According to Lynne A. Dunbrack, research vice president, IDC Health Insights, “For healthcare organizations, it’s not a matter of if they are going to be attacked but when. Healthcare cyber security strategies need to take a comprehensive approach and include not only react and defend capabilities, but also predict and prevent capabilities to effectively thwart cybercriminals.”

Cyber attacks against healthcare will assuredly increase in number and level of sophistication in the next 12 to 24 months. As other industries become more proficient at thwarting cyber attacks, cyber criminals will continue to cast their nets wider to find vulnerable information assets to exploit. IDC Health Insights expects over time that spending allocations will change to support predict and prevent security strategies rather than defend and re-mediate strategies.

According to the new report, to take a more proactive stance in protecting themselves against cyber threats and attacks, healthcare organizations will need to invest in threat intelligence reporting which combines reports from security vendors and the organization’s own network logs. Predictive analytics can then be applied against these external and internal data feeds to help identify behaviors that suggest that systems are being compromised and under attack.