Dive Brief:
- The majority of healthcare security breaches are caused by internal actors, according to a new report from Verizon.
- Misdelivery of data is the most common security vulnerability in the industry, Verizon concluded.
- The top two most frequent breaches in healthcare were credit card hacking from emails and employees abusing their privileges to access patient data, according to the report.
Dive Insight:
Healthcare's biggest security threat continues to be its own employees. Last year, healthcare held onto its position as the industry with the most cybersecurity breaches. The response by industry executives, however, has been slower than many security professionals anticipated, with one survey from 2017 finding only 15% of organizations had a chief information security officer and more than 50% of businesses failed to undertake routine risk assessments.
But there are signs of improvement.
A recent survey from Infoblox found employee education has grown over the past two years and healthcare companies are spending 10% more on improving email hygiene, flushing out phishing scams and ransomware.
Infoblox found that 28% of healthcare organizations are spending between 11% and 20% more on cybersecurity than they were in 2017. The top three cybersecurity investments for healthcare companies are anti-virus software (59%), firewalls (52%) and application security (51%).
Nonetheless, there's a lack of investment in employee training. Ransomware remains healthcare's most frequent security incident, although IT consultants say that, too, is avoidable.
According to Verizon, 2018 was the second straight year in which ransomware incidents made up over 70% of all malware outbreaks in healthcare. Infoblox CTO Victor Danevich told Healthcare Dive there are "hundreds of steps" IT departments should have taken to avoid those incidents.
"Do you pay the ransom or not?" he asked. "The short answer, for me as a security professional — I'd start firing people."
A BakerHostetler report published in April found that the average ransom paid by compromised healthcare companies was $28,920 last year. Danevich said healthcare data is 10 times more valuable than the ransom price.
While human error is by far healthcare's biggest security vulnerability, securing connected devices is the next frontier.
The bottom line is that the industry is investing in interconnected-devices that have not yet been secured. Progress is being made "but not fast enough," Danevich said.