Why 'leaky bucket' approach to managing security threats will never work

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/blog/why-leaky-bucket-approach-managing-security-threats-will-never-work

You manage one security threat, and up pops another. And another. It's like
a bucket filled with water and holes. The water keeps spurting out. Every
time you patch a hole, a new one forms.

This reactive approach of patching old and new security threats is
overwhelming and never-ending for healthcare organizations. Unfortunately,
these threats keep advancing, as revealed in the newly released Fourth
Annual Benchmark Study on Patient Privacy and Data Security by Ponemon
Institute.

It's no surprise then, that 90 percent of healthcare organizations are
still experiencing breaches, and 38 percent report that they have had more
than five incidents in the last two years.

Some of the key threats the Ponemon study found are:

Employee negligence: As in past Ponemon surveys, human error emerged this
year as the biggest vulnerability in protected health information (PHI)
security. Although the majority of surveyed organizations expressed
confidence in their breach detection policies and procedures, 75 percent
reported employee negligence as their biggest worry, and insider negligence
was the root of most data breaches reported in the study.

Unsecured mobile devices: It's a lot more convenient to use your personal
mobile device for work -- a major security risk to the 88 percent of
healthcare organizations that permit employees and medical staff to use
their own mobile devices to connect to the organization's networks or
enterprise systems.

Security gaps with business associates: In light of the Target data breach,
which may have been caused by a fourth-party -- essentially a subcontractor
of a subcontractor -- this is a real concern. Only 30 percent of
organizations surveyed are confident that their business associates are
appropriately safeguarding patient data as required under the HIPAA Final
Rule.

Evolving criminal threats: "The latest trend we are seeing is the uptick in
criminal attacks on hospitals, which have increased a staggering 100
percent since the first study four years ago," said Larry Ponemon, chairman
and founder of the Ponemon Institute. "As millions of new patients enter
the U.S. healthcare system under the Affordable Care Act, patient records
have become a smorgasbord for criminals."

New vulnerabilities under the Affordable Care Act: Survey participants had
strong reservations about the security of Health Information Exchanges
(HIEs): a third said they don't plan to participate in HIEs because they
are not confident enough in the security and privacy of patient data shared
on the exchanges.

There are hopeful signs, but many organizations are still struggling with
incident management, compliance with the myriad regulations, and how to
cope with changes in the security environment.

"Healthcare organizations are getting better at implementing security
measures, but attacks and threats are getting stronger and more
persistent," Ponemon said. "The combination of insider and outsider threats
presents a multi-level challenge, and healthcare organizations are lacking
the resources to address this reality."

Conclusion
It's time to get a new bucket -- one that allows healthcare organizations to
be proactive rather than reactive. Doing so involves better risk
assessments, consistency in security processes and procedures, and
preparing for emerging threats. This shift in focus from an incident-based
process to a culture of compliance is what's necessary to get ahead of the
shifting sands of security risks.

Indeed, organizations should instill business operations that include
tools, software, and processes that will both automate and streamline the
practice of managing the disclosure of regulated data, according to Ponemon.

Only then will we be prepared for what's ahead.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!