With nearly 100 million healthcare records compromised in just the first half of last year, IBM called 2015 the year of the healthcare security breach in a recent Security Trends in the Healthcare Industry report.

This report illustrates that high financial gain is one factor attracting attackers to the healthcare sector. Another reason is the various attack vectors available through the healthcare industry’s widespread use of legacy systems and dated technology which increases the likelihood for successful proven and reliable attack methods.

Some healthcare security budgets are increasing at a modest pace according to Forrester; 16% of the IT budget compared with 19% across all industries. However, there are still many other healthcare security budgets that appear to get trivial increases, and, in some cases, a reduction in security-related expenditures. Increases in the accompanying chart are not exceptionally large.

This is obviously counterintuitive, since threats and security expectations are not decreasing, but are becoming significantly higher. The key to meeting these conflicting demands is increasing the efficiency of dealing with more routine security functions and using some of the resulting savings to deal with new threats and complex technology environments within a process-oriented framework for information risk management.

According to Forrester, almost 30% of the healthcare security budget consists of staffing and maintenance costs with staffing representing almost 14% and maintenance of existing on-premises security technology representing approximately 15%. But scarce security skills in the labor pool are ongoing challenges for all healthcare organizations. This not only raises the cost of staffing but also restricts efficiency.

To reduce both staffing and maintenance costs, Forrester recommends that healthcare organizations consider increasing the adoption of managed security or security-as-a-service. They contend that security is a critical function, but not all of it needs to be delivered in-house.

The same benefits that encourage organizations to move other workloads to the cloud apply to security such as scalability, flexibility and a reduction of capital expenditure. With constrained resources and increasing security demands, healthcare organizations need to spend more rationally while getting better at managing information risk by operationalizing routine information security functions.

The healthcare industry is growing and evolving quickly and reacting to more demanding patient expectations. With the pace of change putting more pressure on healthcare organizations, building in-house capabilities to monitor and manage security around the clock is becoming an unrealistic option for many.

There are mature and repetitive security functions that can be outsourced to managed security services or the cloud. Security information and event monitoring, reporting and threat intelligence are strong candidates for outsourcing as long as you keep decision-making responsibilities in-house. Consider the time that such mundane operational tasks take and how much value you could gain by having internal staff working on more critical issues instead. This can actually improve security and lower costs but can also reduce spending and head count, particularly since most healthcare organizations require 24/7 coverage.

Among 621 data breaches studied in the 2013 Data Breach Investigation Report by Verizon, approximately 70 percent of breaches were discovered by external parties vs. 9 percent by customers.

Gone are the days when healthcare organizations could manage all of its information risks alone. As healthcare environments become more complex and threats grow, organizations can find themselves struggling to plan and execute effective security programs which is a situation exacerbated by a lack of properly skilled or trained staff.

Security spending in the healthcare industry can vary widely, as does the efficiency and cost-effectiveness of that spending. Healthcare organizations can guide their budgets for optimal outcomes by thinking through and answering the types of functions and activities that it should own and the staff skills to hire vs. outsource.

They should evaluate decisions about what security functions it should own by how any given activity supports its core goal of information protection. The shift to true information risk management requires healthcare organizations to rethink its approach to budgeting.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Brian Evans

Brian Evans

Evans, CISSP, CISM, CISA, CGEIT, Senior Managing Consultant with IBM Security Services, assists healthcare organizations in building regulatory compliant information security programs.