Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Healthcare, Pharma Lag in Cybersecurity Effectiveness

May 30, 2014

Article

Although recent high-profile data breaches have been in the retail sector, healthcare and pharmaceutical companies have even worse cybersecurity practices.

While high-profile data breaches at companies like Neiman Marcus and Target gained attention in the last 6 months, the healthcare industry is at even larger risk.

According to a new analysis by BitSight Technologies, health industry groups in the S&P 500 have worse security practices than companies in the finance, utilities, and retail sectors. Both the healthcare and pharmaceutical sectors had a high volume of security incidents and slow response times from April 2013 through March 2014.

“Based on our analysis, it is clear that organizations that treat cyber security as a strategic issue perform better than those that view it as a tactical one,” Stephen Boyer, BitSight co-founder and chief technology officer, said in a statement. “This partially explains the superior Security Ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and healthcare companies.”

BitSight Security Ratings range from 250 to 900—higher ratings equal higher security performance. The average rating in the healthcare and pharmaceuticals industry was 660, just below retail’s 685 and far below utilities’ 751 and finances’ 765.

The healthcare and pharmaceutical sectors had the largest percent increase in the number of security incidents during the April 2013 to March 2014 time period, according to the report. Furthermore, the average event lasted 5.3 days, which is longer than any other industry.

“In our recent assessment of medical devices used in clinics and hospital around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings,” Chandu Ketkar, technical manager at Cigital, said in a statement. “These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks.”

Data breaches in the healthcare industry are taken very seriously, particularly in the wake of the new HIPAA Omnibus Rule. For instance, WellPoint was penalized $1.7 million for inadequate protection of members’ information. Penalties are tallied on a per person, per day basis.