Risks Growing, But Not InfoSec Budgets
New Survey Sizes Up Healthcare Security TrendsThe recent cyber-attack against Anthem Inc. that exposed personal information on 78.8 million individuals is just the latest siren that the healthcare threat landscape is becoming more menacing. But while cyberthreats are rising, budgets for information security are not at many healthcare organizations, according to our 2015 Healthcare Information Security Today survey.
Our survey, which was conducted in December and January, found that only 43 percent of healthcare organizations - including hospitals, delivery systems, clinics and payers - say their information security budgets will increase this year, with 31 percent reporting flat funding and 5 percent seeing a decrease. The remainder were uncertain.
Other survey results suggest that many healthcare organizations aren't devoting enough resources to taking such basic security steps a making use of encryption.
For instance, our survey shows that only 56 percent of organizations are applying encryption for mobile devices, despite loss and theft of unencrypted computing devices being a top culprit in major health data breaches.
And even fewer organizations - 36 percent - apply encryption to servers and databases. Keep in mind that the Anthem database that was recently hacked was reportedly unencrypted.
VA Budget Plans
Although our survey results show most organizations have yet to ramp up security spending, I learned at a recent media briefing that the Department of Veterans Affairs plans to spend more on security - assuming Congress approves its budget.
VA CIO Steph Warren says the information security proposed budget for fiscal 2016, which begins Oct. 1, is $180.3 million - or 6 percent of its total IT budget - including $53 million for the VA's cybersecurity program. That's up from an enacted fiscal 2015 information security budget of $156 million, which included $45.5 million for cybersecurity.
Ramping up spending at the nation's largest healthcare provider is a wise move, given the growing sophistication of targeted attacks, as well as the proliferation of malware and suspicious e-mail that the VA is constantly defending itself against.
"Cybersecurity is a team sport," Warren says. "We've got dollars identified in the budget that are new tools or new processes, but [for] every single VA employee [especially] at the medical centers, a large part of the job is cyber support - doing activities and actions that are necessary to secure the enterprise." And thus, there are elements of cybersecurity spread throughout the VA's proposed IT budget, he adds.
Among efforts that are part of the VA's overall information security spending plans for fiscal 2016 are investments in tools and process improvements related incident management, anti-malware, domain protection and two-factor authentication.
"We continue to keep up with the threats - the threats keep growing," Warren says.
That's something that more private sector healthcare organizations need to remember too while plotting out their information security efforts for 2015 and beyond.
In the coming weeks, look for a webinar and detailed report on our survey, which is sponsored by Cardigm, Experian, (ISC)², and ZixCorp.