Access management shortfalls in health care sector
June 9, 2014

Patient data is among the most protected and sensitive information in the world, especially as the theft of such files could lead to life or death situations. When fraud is perpetuated through the use of consumers' health records, the histories contained therein that physicians rely upon to provide accurate and proper care to patients will be incorrect and could cause significant problems for everyone involved. 

As such, regulators have increased efforts to reform data security standards among health care providers, with the U.S. further expanding upon its Health Information Portability and Accountability Act and the more recent Health Information Technology for Economic and Clinical Health Act. The trick here is that health care providers are required to use more advanced digital technologies while simultaneously maintaining exceptional access and identity management procedures. 

In many ways, authentication can be an excellent step forward for health care IT security, as it will act as a centralized and effective tool to protect data from the threat of breach and loss. A new study found that while the retail sector has been under the gun for a massive outbreak of breaches in the past few months, health care is actually among the worst performing industries in this arena, and the consequences of continued lackadaisical controls could be significant. 

Scary results
BitSight Technologies, a company that provides security ratings to organizations and watchdog groups, released its analysis of cross-industry security performances that turned up somewhat surprising results. The group rates businesses and public sector agencies on a scale of 250 to 900, with the highest score being the most secure and the lowest having the worst types of implications. 

For perspective, the retail sector has not been performing well in the access management game, but did receive a score of 685 from the analysts at BitSight. On the other hand, health care providers and pharmaceutical companies received a 660, on average, and that the typical security event that takes place is longer than any other industry at 5.3 days.

One of the reasons behind this might be the rapid expansion and deployment of new technologies in the sector, which have not necessarily been diligently controlled. 

"In our recent assessment of medical devices used in clinics and hospital around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings," Chandu Ketkar, a technical manager, explained. "These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose health care providers and device manufacturers to regulatory and business risks."

The source noted that the financial services industry actually received the highest security ranking at a 765, and that one piece of malware accounted for a significant portion of problems. BitSight pointed out that Zeus malware seems to be the biggest threat to banks, as it comprised 33 percent of all malware that hit the sector in the past year. 

What needs to be done?
Health care providers can run into significant problems in terms of compliance-related sanctions and general financial loss when they do not protect patient information. Several major events have taken place in a short period of time that have further highlighted the need for advancement and modernization of controls in this industry, yet many organizations remain seemingly apathetic to the threats that abound.

By incorporating authentication solutions into the security program, health care providers can simultaneously improve the efficiency of access management while not sacrificing protection.