I recently attended an event at the Massachusetts Health Data Consortium that featured a discussion from healthcare CISOs and members of their security teams. The session focused on the top challenges facing healthcare infosec professionals in their business of protecting sensitive patient data and ensuring data availability. I found the session to be very interesting, so I wanted to share the top 5 challenges discussed by the participants.

1. Identifying and classifying sensitive data

You can’t protect what you don’t know or can’t find, so there was a lot of discussion around the importance of being able to discover and classify sensitive data within the organization. The speakers recommended getting started by defining what types of data require protection, such as ePHI, PII, or PCI data. Once you’ve identified what types of data will be considered sensitive, you need to locate where that data exists within your organization. Determine what areas of the environment in which it resides – endpoints, networks, the cloud, etc.

2. Employees put sensitive data at risk

Current or former employees, either by malice or mistake, can leak sensitive patient data across a variety of egress channels such as email, removable media, mobile devices, and cloud storage. As is the case in many industries, healthcare organizations struggle with finding the best ways to educate and empower users with the knowledge and practices to keep data safe.

Image via John Klossner.

3. Phishing attacks

Healthcare organizations have proven to be particularly vulnerable to phishing attacks. According to the CISOs, phishing attacks remain the top entry vector for malware, including ransomware. The phishing threat in the healthcare industry has been widely reported on in recent years. SecurityScorecard’s 2016 Healthcare Industry Cybersecurity Report found that 75% of healthcare organizations have fallen victim to malware infections, with PhishMe research suggesting that 91% of those attacks start with phishing.

4. Security tools providing way too many false positives

This is a common problem; time and resources spent responding to false positives is effectively wasted. Healthcare infosec teams are finding that the traditional methods to discovering PHI are prone to false positives and false negatives, leading to high staffing costs and ineffective actionable data.

5. A severe security talent shortage

The security talent shortage is real. As healthcare infosec teams continue to struggle to get sufficient budgets and resources for data protection, many face difficulties in finding qualified security practitioners to fill critical roles. A CIO Survey from last year found that unemployment in the information security industry is virtually 0%, while 23.2% of security professionals reported that the talent shortage is the biggest issue in IT.

I hope you find the speakers’ insights as useful as I have, and for more information on data protection for the healthcare industry, check out some of our resources on the subject:

• The Definitive Guide to DLP - Healthcare Edition
• Meeting Stringent HIPAA Regulations: Your Guide To Safeguarding Patient Data
• 4 Steps to Implementing Data Protection in Healthcare