Open menu
Server Rack in Server Room

How Vulnerable is Your Data?

  • June 01, 2016|
  • 2 years ago

by Tom Foley

  • Follow us
  • Follow us

Director, Global Health Solution Strategy

With a recent spike in health system cyber attacks, hospitals should be taking a closer look at their data security. Knowing where your hospital lies along the security breach maturity curve will enable your organization to plan proactively and protect your data from being hacked.

What is the Breach Maturity Curve?
As your health IT system expands and technology advances, your security needs will also change. The breach maturity curve is a measure of evolving security threats that put your data at risk. To stay ahead of the curve, you should adopt a breach maturity model. This type of security model will help you focus on identifying gaps and establishing best practices for your organization’s IT structure—enabling you to know when and what to invest in for the future.

Why It’s Needed: Health Data Under Attack
We’re not even halfway into the year, and ransomware attacks have been reported across California, Kentucky, Indiana, and the Washington, D.C. area, as well as in Australia and Canada. At least five hospitals were attacked in the last two months. Two of these hospitals had to declare a state of emergency after malware locked them out of their systems.

Additionally, some members of the National Health Information Sharing and Analysis Center report daily encounters with campaigns attempting to deliver ransomware. A ransomware attack is when an organization’s computers and data are held hostage until it pays a ransom, which is usually done in private, as companies prefer not to reveal their security has been breached. Recent high-profile cases are proving just how vulnerable health organizations are to these attacks.

What Security Experts Say is Going Wrong
Regarding these attacks, Grant Elliott, founder and CEO of Ostendio Inc., an Arlington, Virginia-based health IT and risk management firm, says, “Anyone who is surprised this is happening isn’t paying attention.” He notes that most health system chief information officers are too focused on the bottom line and not enough on security. “My hope is problems like this will make health care systems wake up.”

In a survey, 61 percent of health industry organizations said meeting compliance was their top IT security spending, with preventing data breaches well behind at 40 percent. “Compliance is only a step towards healthcare IT security,” states Garrett Bekker, senior analyst at 451 Research. He adds, “[Hospitals] are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached.”

And once those perimeters are breached, the costly damages add up quickly. According to the Ponemon Institute’s 2015 annual data breach study, the cost of health industry data breaches is the highest among all business fields, averaging $398 per record.

How to Evaluate Your Security Plan
It’s time to determine the baseline of your hospital’s IT data security model so you can proactively plan for tomorrow. It’s pretty straightforward to get started: review your IT infrastructure, devices, and common user behaviors to identify gaps.

Next, take these steps to better prepare your defenses:

  • Schedule routine maintenance to patch and install critical software and antivirus updates.
  • Isolate vulnerable devices from the network.
  • Implement email filters or whitelist approved domains and IP addresses.
  • Educate your staff on best practices for workplace security.

This last step is extremely important. It’s not just about infrastructure, it’s also about people. Mac McMillan, co-founder and CEO of CynergisTek, a health security and privacy consulting firm, stated, “Much of a hospital’s defenses lie with hospital staff.”

Keep your staff up to date on the latest security policy changes as well as critical technology training. Take these steps to strengthen your defenses:

  • Develop protocol in case of a data breach, system lockdown, or an employee’s device is lost or stolen.
  • Provide proper software and device training to avoid user errors (duplicate records, outdated codes, etc.).
  • Cross-reference your IT plan with industry recommendations, like the EMR Adoption Model from HIMSS and Intel®, to identify potential gaps or risks.

To ensure a thorough security gap assessment, use a third party or partner who is impartial. This way, the process will not be about pointing figures but identifying and addressing the risks.

Having a baseline understanding of where your hospital is today will help you understand where your organization lies on the breach maturity curve. Thus, your team can take the appropriate measures to safeguard against a very costly—and potentially negatively publicized—security breach.



1. How Mature is Your Healthcare Security Program? Dell Power More. November 2015.
2. To Pay or Not to Pay Ransom: A Tale of Two Hospitals. Becker’s Health IT & CIO Review. March 28, 2016.
3. Here’s How Hospitals Can Protect Themselves From Ransomware Attacks. STAT. April 27, 2016.
4. MedStar Took ‘Extreme’ Measures to Block Cyber Threat. Washington Business Journal. March 29, 2016.
5. Despite Risk, Healthcare Prioritizes Compliance Over Data Security. Infosecurity. April 13, 2016.
6. Healthcare Data Breaches Are Costliest: Study. Modern Healthcare. May 28, 2015.