Level 3 Communications found that there are two issues that are posing dangers to healthcare companies’ network security: awareness and education.
A new study conducted by Healthcare Information and Management Systems Society (HIMSS) Analytics and Level 3 revealed that there are a number of high-level IT security concerns in the healthcare industry as the threat landscape continues to evolve.
The threat of a wide-scale cyberattack is placing the industry’s healthcare data and critical care infrastructure at risk.
Chris Richter, SVP of global security services for Level 3, told FierceTelecom awareness around healthcare cybersecurity is rising due to the value hackers place on getting access to healthcare records.
“By some estimates, a healthcare record is worth 100 times more than a credit card record because it’s so data-rich,” Richter said. “There all kinds of information in EHR you could use to completely steal someone’s identity.”
About 80% of survey participants cited employee security awareness as the greatest source of their concern regarding threat exposure.
One of the critical elements that healthcare providers agreed was most important to their business is electronic health record (EHR) systems. The study found that 95% of respondents list EHR systems as most important for network uptime, while hospital interface systems ranks as the second most important at 51%.
Trailing EHR and interface systems are remote monitoring for patients (39%), communications systems (37%) and picture archiving and communication system storage (36%).
The majority of organizations employ multiple risk-mitigation practices: 87% leverage remote access/secure access controls, 85% rely on employee security awareness programs and 75% incorporate security consulting services like vulnerability assessments and penetration testing.
Richter said that the main concerns among healthcare providers are twofold: ensuring the integrity of the records and maintaining them.
“Based on our survey, what practitioners care about is protecting healthcare records from theft, but also ensuring that they continue to work,” Richter said. “DDoS is a really big and important concern of theirs.”
A budget issue
Given the risks, it is easy to ask why more healthcare companies are not being proactive about putting a wide-scale cybersecurity program in place.
Interestingly, more than half of the survey respondents have practices such as distributed denial of service (DDoS) mitigation (56%) and/or threat intelligence (55%) in place today.
Despite the potential threats and benefits of having such a system, the two main issues that have caused healthcare companies to not push the managed security button are costs and understanding what options are the best fit for their organization.
“There are so many threat intelligence services and products out there it becomes confusing to figure out which ones have a material benefit,” Richter said. “All of this is taking place while they are facing the traditional concerns across all industries regarding budgets and how much of their IT budgets should be spent on security.”
Level 3 claims that it can reduce network security costs for healthcare companies and other verticals by pushing its controls into the cloud.
For those healthcare providers that have decided to make security a priority, they are focused on three areas: threat intelligence, next-gen firewalling and DDoS.
“This lined up with our strategy to deliver these types of controls on our backbone,” Richter said.
Although healthcare providers have worked to be in compliance with yearly audits to meet federal HIPAA standards, most companies won’t make a security investment until they suffer a large breach.
“One of the things that this survey revealed to us is that they almost have to be compromised or have something scary happen before they will make the leap,” Richter said.
Enhancing security education
But cost is only one part of the healthcare security equation. Similar to the financial community, which has the Financial Services Information Sharing and Analysis Center (FS-ISAC), the healthcare industry has the National Health ISAC (NH-ISAC).
According to NH-ISAC's website, the two largest member types are providers and insurers and payers. Providers make up 30.5%, while payers and insurers consist of 20.7% of its membership.
Richter said Level 3's survey is one “we hope to continue doing on an annual basis so we can track the movement in the changes in perception and changes in adoption of security controls.”
Level 3 is in an interesting position to provide security services to the healthcare industry. Today, it provides services to eight of the top 10 largest healthcare providers.
In particular, the security service that is getting the most attention from its healthcare customers is threat intelligence.
“What we’re finding is the threat intelligence offering has the strongest adoption rate and is growing the fastest,” Richter said. “The reason for that is we can notify these customers when they are communicating with bad actors on our network or a third-party network.”
In working with healthcare customers, Level 3 will conduct an inventory of where the company has its records. Healthcare companies retain and store data in various places, including their own data centers and the cloud.
“Everyone takes a different approach,” Richter said. “What we like to do is begin with a security assessment to find out where their data is located.”
Richter added that conducting the assessment is to also figure out which data they need to keep and which should be discarded.
“Some of these organizations have healthcare data that is too old to be holding on to,” Richter said. “Part of the risk assessment is to not only understand what data they have, but where it’s located, how old it is and the usefulness of it.”