BreachExchange mailing list archives
Why 'leaky bucket' approach to managing security threats will never work
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 17 Mar 2014 18:49:57 -0600
http://www.govhealthit.com/blog/why-leaky-bucket-approach-managing-security-threats-will-never-work You manage one security threat, and up pops another. And another. It's like a bucket filled with water and holes. The water keeps spurting out. Every time you patch a hole, a new one forms. This reactive approach of patching old and new security threats is overwhelming and never-ending for healthcare organizations. Unfortunately, these threats keep advancing, as revealed in the newly released Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute. It's no surprise then, that 90 percent of healthcare organizations are still experiencing breaches, and 38 percent report that they have had more than five incidents in the last two years. Some of the key threats the Ponemon study found are: Employee negligence: As in past Ponemon surveys, human error emerged this year as the biggest vulnerability in protected health information (PHI) security. Although the majority of surveyed organizations expressed confidence in their breach detection policies and procedures, 75 percent reported employee negligence as their biggest worry, and insider negligence was the root of most data breaches reported in the study. Unsecured mobile devices: It's a lot more convenient to use your personal mobile device for work -- a major security risk to the 88 percent of healthcare organizations that permit employees and medical staff to use their own mobile devices to connect to the organization's networks or enterprise systems. Security gaps with business associates: In light of the Target data breach, which may have been caused by a fourth-party -- essentially a subcontractor of a subcontractor -- this is a real concern. Only 30 percent of organizations surveyed are confident that their business associates are appropriately safeguarding patient data as required under the HIPAA Final Rule. Evolving criminal threats: "The latest trend we are seeing is the uptick in criminal attacks on hospitals, which have increased a staggering 100 percent since the first study four years ago," said Larry Ponemon, chairman and founder of the Ponemon Institute. "As millions of new patients enter the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals." New vulnerabilities under the Affordable Care Act: Survey participants had strong reservations about the security of Health Information Exchanges (HIEs): a third said they don't plan to participate in HIEs because they are not confident enough in the security and privacy of patient data shared on the exchanges. There are hopeful signs, but many organizations are still struggling with incident management, compliance with the myriad regulations, and how to cope with changes in the security environment. "Healthcare organizations are getting better at implementing security measures, but attacks and threats are getting stronger and more persistent," Ponemon said. "The combination of insider and outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality." Conclusion It's time to get a new bucket -- one that allows healthcare organizations to be proactive rather than reactive. Doing so involves better risk assessments, consistency in security processes and procedures, and preparing for emerging threats. This shift in focus from an incident-based process to a culture of compliance is what's necessary to get ahead of the shifting sands of security risks. Indeed, organizations should instill business operations that include tools, software, and processes that will both automate and streamline the practice of managing the disclosure of regulated data, according to Ponemon. Only then will we be prepared for what's ahead.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why 'leaky bucket' approach to managing security threats will never work Audrey McNeil (Mar 20)