LAS VEGAS—Healthcare providers are far behind other industries when it comes to protecting their data and the number of attacks is only expected to accelerate.
At an annual confab designed to celebrate the latest in technological innovation, a newly released survey offered a sobering take on healthcare's flimsy defenses.
Healthcare providers are averaging less than 6% of their information technology budget expenditures on security, according to the survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society, and security firm Symantec.
In contrast, the federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12% to 15%.
“We can't be as secure as those industries because we're not spending the money,” said David Finn, Symantec's health IT officer. “Information and information technology were never really strategic to healthcare. We never thought of that data as being strategic and important.”
But in fact, the number of healthcare attacks over the past five years has increased 125% as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information, according to the survey.
“All signs are that (attacks) are going to continue to increase,” said Blain Newton, executive vice president at HIMSS Analytics.
And the events are changing in nature. This month, Hollywood Presbyterian Medical Center paid hackers a $17,000 ransom in bitcoins to unlock its electronic health record system.
“They couldn't take care of patients,” Finn said. “That's not a security issue anymore. That's a business issue.”
Still, 60% of healthcare boards of directors only get security updates on an as-needed basis, compared to the regular quarterly reports they get on financials and operations,
“It's still very event-focused,” he said. “It's very 'put out a fire as it comes in.' ”
The points of vulnerability also are growing as providers layer additional technologies on top of their EHR platforms—from mobile applications to wearables. Only 46.1% of providers surveyed by HIMSS Analytics' healthcare IT security and risk management survey had begun addressing potential security issues around medical devices, which can be used as an entry point into a hospital's protected data.
A number of vendors have stepped into the space to offer new technologies for cybersecurity, such as replacing the easily compromised password with voice activation or biometric scanning devices to verify someone's identity.
Since senior citizens are often the primary users of in-home monitoring devices, the cybersecurity tools protecting them need to be simple to use even as they increase in sophistication, said Hal Wolf, director at the Chartis Group, an advisory group.
“You're seeing a huge acceleration in this space,” he said. “We're catching up and we're going to be playing catch-up for the life of healthcare.”