Providers not using encryption enough for data in the cloud
A recent survey suggest that a majority of healthcare organizations are now putting data in the cloud, often without sufficient security protection.
The survey found that 80 percent of 100 healthcare organizations are placing sensitive data in the cloud. Some 70 percent of respondents reported that they have experienced data breaches—the highest rate of any industry in the survey—and 25 percent failed data security compliance audits in the past year.
The 2019 Data Threat Report from Thales, which offers information technologies and advisory services, provides clear evidence that patient information is at risk in the face of rapid cloud adoption, with inadequate encryption rates in the healthcare industry, says Tina Stewart, the company’s vice president of market strategy for cloud protection and licensing.
“Data security is increasingly complex, particularly for healthcare organizations immersed in cloud and digital transformation initiatives,” Stewart adds. The focus should be to encrypt everything in the cloud and keep control of the data by centrally managing the keys to the encrypted data.”
Unlike other industries, healthcare organizations face a broad and ever-expanding threat surface because of the sheer volume of personally identifiable information that is available.
Healthcare data is especially attractive to hackers because it is far more valuable than other kinds of data that can be accessed and exploited,” explains Frank Dickson, vice president for security products research at IDC, which collaborated with Thales on the report. “When healthcare data is stolen, damage cannot be fully mitigated. A credit card can be cancelled or a bank account can be closed, but private patient data circulates endlessly, which opens opportunities for fraud to occur again and again from a single breach.”
Providers are not blinded by all the threats, the report notes.
Two-thirds of respondents say they expect to use encryption and tokenization to boost security and pass compliance audits. IDC recommends providers establish a shared security model between themselves and their cloud vendors. Otherwise, without sufficient flexibility built in to technologies to meet new regulations when issued, non-compliance issues will continue.
The complete report can be downloaded here.