Issue link: https://securitytechnologyexecutive.epubxp.com/i/282968
www.SecurityInfoWatch.com t should come as no surprise that the per capita cost of a data breach is much high- er for heavily regulated industries such as healthcare, financial and pharmaceuticals than for those less regulated, like retail and public services. But what might be surpris- ing is that according to the 2013 Ponemon Cost of Data Breach Study, healthcare has surpassed the financial industry and now bears the highest cost of all – 70 percent above the overall mean value. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, the cost will likely continue to increase. The annual cap on fines for security breaches has now increased from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further. Costs aren't the only aspect of securi- ty on the rise – cyber threats are as well. A ccording to the C is co 2014 A nnual Security Report, threat alerts grew 14 per- cent year-over-year. Whether a breach is a result of actions by an insider or a targeted attack from outside the organization, the goal is to find and stop the breach as quickly as possible to minimize damage. But many healthcare organizations are challenged to effectively communicate and collaborate when it comes to security. In many of these organizations there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others' data. Let's take a look at a couple of examples. These days we hear a lot about insider threats. An individual's actions may look legitimate but when correlated with some other activity, it could indicate that malicious activity is occurring. A workstation that has always accessed clinical data or some other patient information doesn't raise suspicion. But a subtle, steady increase in traffic, say of five or 10 percent, correlated with communi- cation to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a mali- cious actor using social engineering methods to entice an unwitting user to download mal- ware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security 22 SECURITY TECHNOLOGY EXECUTIVE • February/March 2014 I Bridging the Gap Between Compliance and IT Security in Healthcare HEALTHCARE SECURITY: COMPLIANCE & IT By Kim Lennan Healthcare industry has the highest per capita cost of data breach than any other sector STE_22-23_0314 Lennan Healthcare.indd 22 3/14/14 11:12 AM