Netwrix released an infographic based on the findings of its global 2019 Netwrix Cloud Data Security Report for the healthcare industry. The infographic provides an industry perspective of the data that healthcare organizations store in the cloud, the state of their cloud data security and their plans for using cloud technology.
The 2019 Netwrix Cloud Data Security Report revealed that 32 percent of healthcare organizations store a wide range of sensitive data in the cloud, including healthcare data and personally identifiable information (PII) of customers and employees. In addition, the number of those who are ready to adopt Cloud-First approach has increased by 31 percent since 2018, and the number considering becoming 100 percent cloud-based has grown by 12 percent. Unfortunately, their IT teams might not have enough resources to properly protect this sensitive data in the cloud, as 85 percent of them did not see an increase in their cloud security budgets in 2019.
Other findings revealed by the research
and shown in the infographic include:
26 percent of healthcare organizations had at least one security incident in the cloud during the past 12 months. These organizations have two things in common: None of them classified all the data they stored in the cloud, and all of them store all their sensitive data in the cloud.
The majority of IT teams at healthcare organizations plan to strengthen data security in the cloud by encrypting data (70 percent) and monitoring activities around data (50 percent). However, one third of them do not receive any financial support from their management, which makes it more difficult for them to improve security in the cloud.
18 percent of healthcare organizations would consider moving their data from the cloud back on premises. Their main reasons include security concerns (56 percent), reliability and performance issues (22 percent), and high costs (22 percent) for the cloud. If they decide to make this move, they will start by migrating healthcare data (33 percent), customer data (33%) and employee data (11 percent).
“Prioritizing security efforts is the key to ensuring data security in the cloud, especially if budgets are tight, as is common at healthcare organizations. When organizations know exactly what data they have in the cloud and have classified it according to its value and level of sensitivity, they are in a better position to choose appropriate controls within their budgetary constraints and protect sensitive data more effectively,” said Steve Dickson, CEO of Netwrix.
“By 2022, more than 30 percent of the hospital data centers will be based in the cloud. Healthcare systems have been skeptical about adoption of cloud, but cost pressures and the need to reduce capital expenditure have been changing that mindset. After enduring several high-profile breaches and realizing the maturity of various cloud providers (both in expertise and scalability), healthcare systems are finally less skeptical than they used to be about the cloud.” — Gartner, “Forecast Overview: Healthcare Provider Market, Worldwide, 2018,” by Anurag Gupta, July 13, 2018.
By Ilia Sotnikov, vice president of product management, Netwrix.
On February 21, UConn Health reported that personally identifiable information (PII) from 326,000 patients was compromised. A malicious third party illegally gained access to several employee email accounts that contained patient names, dates of birth, Social Security numbers, addresses, and limited medical information, such as billing and appointment information.
What is most important about this data breach is that the hackers were not necessarily looking for patient medical records — they seem to have been looking for any personal information they could steal. That vividly illustrates the importance of having stringent policies to protect PII, supported by employee training on best security practices. Specifically, there are three lessons to learn from this event if you want to mitigate your risk of suffering a similar breach.
Lesson #1. Classify your sensitive data
The 2018 Netwrix IT Risks Report shows that healthcare organizations generally lack proper data governance practices and rarely check what data they store and how sensitive it is. The majority of respondents classify data based on its sensitivity (61 percent) and clear up unnecessary data (67 percent) only once a year or even less often.
It’s estimated that by 2020, each person will generate 1.7 MB of data every second. However, not all of that data needs special protection. Therefore, an effective strategy is to develop a data classification policy to discover all the data you have and classify it according to your organization’s needs. That way, you can prioritize your security efforts on the data that deserves it the most. At the same time, you can eliminate duplicate and unneeded files, which will reduce your attack surface area and lower your storage and backup costs.
Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the second installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.
Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues. Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.
Michael Fimin, CEO and co-founder, Netwrix
The largest concern of any healthcare organization is protecting patient personal data. Every year healthcare entities of all sizes become victims of data leaks, fresh examples are both Anthem and Premera Blue Cross, and lose thousands of dollars mainly because of employee misbehave or human error. Being not an easy one to prevent, human factor sets IT pros a number of challenges to cope with:
1. Insider threat. Unfortunately, privilege abuse is a primary root cause for many data breaches. No matter if an employee is breaking bad or his credentials were stolen, sensitive data is put at risk. The only way to prevent insider threats is to have visibility into the IT infrastructure and be able to track any changes made to both security configurations and data. Monitor user activity and establish rigorous control over accounts with extended privileges. Regularly review all access rights to ensure that permissions are granted adequately to employees’ business needs.
2. Security of devices. In 2014 healthcare organizations suffered from physical theft or loss of electronic devices more than any other industry, said the Verizon 2014 DBIR. Without proper identity and authentication management personal data stored on these devices can be easily accessed by adversaries, leading to financial and reputational losses. If your employees’ laptop or tablets end up in the wrong hands, encryption, two-factor authentication and ability to manage the device remotely will protect your data, or at least will make hacker’s job much harder.
3. Employees’ negligence. Deliberate or accidental mistakes pose more danger to data integrity than you might think. A simple email with confidential data sent to the wrong address may lead to a huge data leak. Make sure that your employees are familiar with the company’s security policy and are aware of what they should do to maintain security each person in the company should clearly understand that integrity of information assets is their personal responsibility.
Dr. Barry Chaiken, chief medical information officer, Infor Healthcare providers organizations invested billions of dollars purchasing and implementing electronic medical records with this investment driven by the economic incentives provided by the HITECH Act. Now that these systems are installed an up and running, organizations struggle to obtain real value from these investments. These systems were implemented with speed in mind rather than clinical transformation that improved quality and reduced costs. Now, organizations must embrace clinical transformation and change management to redo workflows and processes to effectively impact care. Organizations cannot justify their investment in EMRs unless they rework their EMR implementations to obtain true value from their deployment.”