Healthcare, Pharma Lag in Cybersecurity Effectiveness

Although recent high-profile data breaches have been in the retail sector, healthcare and pharmaceutical companies have even worse cybersecurity practices.

While high-profile data breaches at companies like Neiman Marcus and Target gained attention in the last 6 months, the healthcare industry is at even larger risk.

According to a new analysis by BitSight Technologies, health industry groups in the S&P 500 have worse security practices than companies in the finance, utilities, and retail sectors. Both the healthcare and pharmaceutical sectors had a high volume of security incidents and slow response times from April 2013 through March 2014.

“Based on our analysis, it is clear that organizations that treat cyber security as a strategic issue perform better than those that view it as a tactical one,” Stephen Boyer, BitSight co-founder and chief technology officer, said in a statement. “This partially explains the superior Security Ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and healthcare companies.”

BitSight Security Ratings range from 250 to 900—higher ratings equal higher security performance. The average rating in the healthcare and pharmaceuticals industry was 660, just below retail’s 685 and far below utilities’ 751 and finances’ 765.

The healthcare and pharmaceutical sectors had the largest percent increase in the number of security incidents during the April 2013 to March 2014 time period, according to the report. Furthermore, the average event lasted 5.3 days, which is longer than any other industry.

“In our recent assessment of medical devices used in clinics and hospital around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings,” Chandu Ketkar, technical manager at Cigital, said in a statement. “These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks.”

Data breaches in the healthcare industry are taken very seriously, particularly in the wake of the new HIPAA Omnibus Rule. For instance, WellPoint was penalized $1.7 million for inadequate protection of members’ information. Penalties are tallied on a per person, per day basis.