Due to the prevalent complacency, culture, politics and budget, ensuring data security is viewed as a cost factor that can wait
Authored by Rahul Kumar, Country Manager, WinMagic
Digitalization in the medical sector has necessitated the distribution of patient information to not only doctors but also authorised employees, agents and contractors. This has made this sector one of the most vulnerable. According to a study, about 90% of healthcare organisations havesuffered at least one data breach in the past two years. The main cause identified in all these cases was criminal intent; unlike with mostcredit card data breaches, these cases were not immediately identified. The cost of all sorts of breaches in the healthcare sector is around $6 billion per year or $2.1 million per healthcare organisation annually.Consequences of cybercrime within the pharmaceutical and healthcare industry go beyond the obvious financial damage. This industry is increasingly becoming the target of cyber-attacks and espionage mainly because of the following reasons:
• Intellectual property (drug formulas, manufacturing processes) has the potential to generate billions of dollars of revenue, and it is expensive and time consuming to undertake such R&D to generate intellectual property
• Insiders, rather than external hackers, pose the biggest threat in organisations that hold large amounts of valuable intellectual property and trade secrets (DuPont breach in 2012)
• The pharmaceutical and life sciences industry lag behind in implementing measures to protect against cyber-attacks as compared to other industries
Compliance &protection of intellectual property
An issue that’s somewhat unique to the healthcare industry is that hospitals, insurers, and others take compliance quite literally, focusing mostly on the processes and missing out on the big picture of what compliance regulations are trying to accomplish. Such a rationale among the healthcare players has created a false sense of security, making them more vulnerable than ever before.The ensuing costs for such complacency can be high; especially, given the investment of time, effort and money that is required long term. Information risk management is more than just compliance. The healthcare sector needs to look at addressing data security and IP concerns as a proactive investment, and not simply focusing on it as a cost for ensuring compliance.
A panacea to mitigating security risks lies in meeting industry-specific compliance regulations. In a broader sense, compliance isnot necessarily restricted to data security; in fact, it encompasses risk, confidentiality, integrity and availability of data. Therefore, given the fluidity of IT and the continually emerging threats and vulnerabilities, simply focusing on compliance alone is short-sighted and can end up creating a false sense of security that your information is truly protected. Towards this end, pharma and healthcare organisations must undertake an audit of their systems and procedures to ensure the protection of critical information.
Data security challenges in healthcare environments
In India, the healthcare sector is growing at an unprecedented rate, confounding analysts and investors alike. According to the Indian Pharmaceutical Congress, the industry is growing at 15.92 per cent per annum—at this rate, the industry would grow to $ 55 billion by 2020, making India the sixth largest market globally. This is all the more a reason to protect patient files, prescription records, diagnostic data, insurance records and billing details.
Nowis the time that organisations start looking at data encryption and key management solutions as insurance against data threats. With technologies such as AES-NI, SEDs and the general improvements in OS performance and processor speeds, encryption has evolved considerably over the last few years.Encryption solutions secure data in a completely transparent way, making it easier than ever before to manage it.
Handling internal & external threats
World over the healthcare sector has been smarting under attacks from insiders—rather than external hackers—who manipulate the inherent flaws in the IT environment. Closer home, culture, politics and budget continue to undermine security in the healthcare sector in India.
The heterogeneous nature of IT environments currently in vogue is not helpful either: hospitals, insurers, diagnostic centres, etc. work together to get things done from the confines of their respective networks. The inherent flaws in the environment creep in despite the multiple layers of security and numerous security policies followed by the players in the healthcare chain. This is compounded by the fact that these players are unable to bring about a seamless integration between the varied technologies in place. They fear that another security layer would not only cause inconvenience to their busy staff but also create confusion among various stakeholders. So the most preferred solution to-date has been file encryption. However, the rising cases of data theft using ingenious ways have given rise to new fears, forcing the healthcare players to look at solutions that are more durable.
The way ahead
Full-disk encryption at the enterprise level ensures ‘always-on’ security that cannot be compromised by internal or external threats. When such encryption seamlessly integrates with existing technologies, then the stakeholders can rest assured that their data is in safe hands. For IT teams, having in place an intelligent security solution reduces the need for dealing with day-to-day challenges requiring continuously assessing company data, security and storage. The best data security tools work in the background—transparently—and provide automated, non-disruptive protection of assets and seamless authentication of network users. This aspect of transparency focuses on eliminating device and platform differences as obstacles to deploying universal security protection.The business of data security has evolved to play anfunctional role in an organization and helped to define its growth path.
The Cost of Non-Compliance
When a laptop is lost or stolen, the cost to the business is more than just replacement value and the hassle of cleaning things up. There are numerous costs including:
• Legal fees
• Forensic investigation fees
• System outages and lost opportunities
• Damage to brand and reputation (i.e. the Sony Online Entertainment and PlayStation Network security breach in 2011) and subsequent loss of trust
These costs can be enormous given what is at stake. In the Ponemon Institute’s The Billion Dollar Lost Laptop study (2012), it was determined that the total economic impact of lost laptops was an average of $6.4 million per organisation. The study found that healthcare and pharmaceuticals had the second highest number of laptop losses among all industries surveyed.