SAN JOSE, Calif. – April 13, 2015 – Vormetric, a leader in enterprise data security for physical, virtual, big data, public, private and hybrid cloud environments, today announced the healthcare-focused results of the 2015 Vormetric Insider Threat Report (ITR). Key findings include that 92 percent of healthcare Information Technology (IT) decision makers reported that their organizations are either somewhat or more vulnerable to insider threats, and 49 percent felt very or extremely vulnerable. Additionally, 62 percent of respondents identified privileged users – those who have access to all resources available from systems they manage – as the most dangerous insider. Partners with internal access and contractors ranked second and third, respectively.
The survey was conducted online on behalf of Vormetric by Harris Poll in fall 2014 and included responses from 102 IT decision makers (ITDMs) in U.S. healthcare organizations, as well as 818 total ITDMs in the U.S., U.K., Germany, Japan and the ASEAN region. The healthcare research brief extends earlier findings in the global report, retail and financial research briefs, cloud and big data edition, and the Japan and ASEAN edition with details on the impact of insider threats to the U.S. healthcare industry.
Healthcare data has become highly desirable to bad actors, and much more valuable than credit card information, with healthcare records selling for tens to hundreds of dollars, while U.S. credit card records sell for 50 cents or less. The enormous detail available in patient records is the reason for this, making it possible for criminals to not only apply for credit cards or loans, but to generate large sums from fraudulent medical charges, or even to compromise a patient’s existing financial accounts.
The survey results indicate that data protection in healthcare organizations is driven largely by compliance requirements – 54 percent reported compliance requirements as the top reason for protecting sensitive data, and 68 percent rated compliance as very or extremely effective at stopping insider threats and data breaches. Unfortunately, compliance standards evolve slowly, often with years between revisions. Threats to data however, change quickly as new vulnerabilities are found and new attacks are developed. The result is that meeting compliance requirements is no longer enough to protect sensitive data.
With the combination of healthcare data becoming a very attractive target, and a high regard for compliance as an effective defense, it isn’t surprising that 26 percent of healthcare respondents reported that their organization had previously experienced a data breach. The fact that 48 percent reported that in the last year their organization had failed a compliance audit or encountered a data breach is also troubling, indicating possible problems with meeting even base-level compliance.
However priorities appear to be changing – with respondents reporting that compliance is their second priority for IT Security spending at 39 percent, behind preventing a data breach at 53 percent. The importance of data breach prevention increased 2.5x from 21 percent just two years ago, a substantial change in attitudes (when compared against results reported for all respondents in the 2013 Vormetric Insider Threat Report).
63 percent of healthcare IT decision makers report that their organizations are planning to increase spending to offset data threats, the highest of any segment or region measured. When reporting their IT spending priorities, the top drivers were:
Respondents to the survey also identified the greatest planned spending investments in data-at-rest defenses (46 percent) and analysis/correlation tools (45 percent).
“Healthcare data has become one of the most desirable commodities for sale on black market sites, yet U.S. healthcare organizations are failing to secure that data,” said Alan Kessler, CEO of Vormetric. “An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk. What’s needed is for healthcare organization to realize that compliance is not enough, and to implement the controls and policies required to put the security of their data first.”
The healthcare research brief is available from Vormetric and can be found here.
Vormetric’s 2015 Insider Threat Report was conducted online by Harris Poll on behalf of Vormetric from September 22-October 16, 2014, among 818 adults ages 18 and older, who work full-time as an IT professional in a company and have at least a major influence in decision making for IT. In the U.S., 408 ITDMs were surveyed among companies with at least $200 million in revenue with 102 from the health care industries, 102 from financial industries, 102 from retail industries and 102 from other industries. Roughly 100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102), and ASEAN (103) from companies that have at least $100 million in revenue. ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand, and the Philippines. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated.
Vormetric (@Vormetric) is the industry leader in data security solutions that protect data-at-rest across physical, big data and cloud environments. Vormetric helps over 1500 customers, including 17 of the Fortune 30, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading solution set.