Thales Blog

Healthcare Organizations Need to Adapt Their Data Protection Policies to the New Threat Environment

November 17, 2020

Todd Moore Todd Moore | VP Encryption Products, Thales More About This Author >

Healthcare providers are at the epicenter of the fight against coronavirus. While the pandemic accelerated their digital transformation initiatives, it also expanded their threat surface and opened up opportunities for cybercriminals. For example, data sprawl has significantly increased due to all of the new patient data that has been created during the pandemic. This new model of hyper-distributed data creates a much broader attack surface than existed before. In addition, telemedicine has generated a larger pool for potential phishing scams as well as other socially-engineered, and technically based, attacks (e.g., ransomware). Given this, healthcare organizations need to advance their security efforts to adapt to this shifting environment.

COVID-19 accelerates healthcare digitalization

According to the global edition of the Thales 2020 Data Threat Report, 47% of healthcare organizations are either aggressively disrupting their market or are embedding digital capabilities that enable greater agility. The COVID-19 pandemic social distancing requirements, forcing healthcare providers to adopt telematic services at a greater degree to offer their patients the same level of treatment remotely, will be a great driver for further digitalization of the healthcare sector.

In fact, a recent survey revealed that COVID-19 accelerated companies’ digital transformation strategy by a global average of six years. Healthcare was among the sectors accelerating their digitalization at a faster pace. 74% of the surveyed healthcare providers embarked on new digital initiatives to correspond to the needs of the “new normal”.

The healthcare industry is a highly regulated one, with HIPAA in the U.S. and GDPR in the EU dictating strong security controls for safeguarding medical data and sensitive personal patient data. While legislators were more lenient at enforcing the regulatory compliance requirements, for the sake of containing the pandemic, the security requirements were not lifted. U.S. and EU officials stressed that these regulations were in force and were enabling the secure processing of sensitive data for the scientific community to fight the pandemic.

Despite the solid regulatory environment, digitalized healthcare providers have a greater threat exposure, with 37% of the Thales 2020 Data Threat Report respondents saying that they had experienced a data breach or failed compliance audit during 2019. The degree of digitalization and the scientific efforts for the development of a COVID-19 vaccine have further increased the threat surface. Whether they are evil cyber criminals seeking to wreak havoc or state-actors for industrial espionage purposes, the healthcare industry is is squarely a target for increased cyber-attacks that take advantage of the pandemic.

Sensitive medical data is not protected

The challenge for the healthcare industry to meet regulatory compliance and safeguard their data increases as they store more of their data in cloud environments. According to the report, almost all (97%) of financial services organizations store data in the cloud. More importantly, half of that cloud data is sensitive.

To meet regulatory security requirements, the report uncovered that healthcare organizations are spending more money on data security, increasing expenditure by 47%, and reaching 15.9% of total budget. Healthcare organizations require tools to manage the complexity of securing their sensitive data, spanning legacy on-premise infrastructure and modern, cloud-based platforms. These tools include smart technology-oriented solutions like encryption and tokenization.

Healthcare Industry at a Glance

Despite the increased expenditures on data security, healthcare providers do not seem to be concerned enough about the issues creating the most risk. The survey data revealed that encryption and tokenization rates remain low. Healthcare organizations encrypt 59% of their sensitive data and apply tokenization methods to a little less than half (49%) of the sensitive data.

Data security is important in a multi-cloud world

The lack of sufficient and efficient data protection controls is a major risk for multi-cloud organizations. Digital transformation has vanished traditional corporate perimeters and their defenses. Today, almost all (98%) corporate data reside in off-premise, cloud-based platforms, and is accessed and processed through cloud apps. As more and more businesses are disrupting their markets by adopting digital capabilities, security should not be an afterthought.

A great percentage of the data stored in these platforms is sensitive: confidential corporate information, Personal Identifiable Information (PII) including patient data, and proprietary data. Despite the critical importance of this data, organizations fail to properly secure these assets. According to the report, almost half of the data hosted in the cloud is not encrypted or tokenized. In fact, 100% of global respondents say at least some of their sensitive data in the cloud is not encrypted.

Lack of data protection leads to failed compliance audits and eventually to data breaches. Alarmingly, almost half (49%) of the global organizations have suffered from a data breach.

One of the reasons that prevents wider adoption of security policies is complexity. As more data migrates to the cloud, security becomes more complex. But much of this complexity is self-inflicted, as multi-cloud environments have become increasingly common. Companies are using multiple IaaS and PaaS environments, as well as hundreds of SaaS applications. The study revealed that 81% of global respondents are using more than one IaaS vendor, 81% have more than one PaaS vendor, and 11% have more than 100 SaaS applications to manage.

Smart data protection to address all risks

As more sensitive data is stored in cloud environments, data security and privacy risks increase. Globally, organizations face expanding and more complex data security challenges as part of implementing their cloud and digital transformation strategies, especially considering current COVID-19 realities and preparation for post-pandemic possibilities.

Organizations should place their cloud security focus on the portion of the shared responsibility model where it can influence the security of its data. Data security solutions, especially encryption, are critical to remain vigilant against the new data risk reality. This point is especially relevant as the current work from home migration has forced employees to access greater amounts of corporate data off-premises, sometimes through Bring Your Own Devices (BYOD). This impacts the healthcare industry, as many clinicians have shifted to a “Telemedicine” model, performing triage over video chats and other communication tools. In an emergency situation, a diagnostic conversation may take place using a medium that is not encrypted, exposing a medical practice to various regulatory violations. Even if an organization loses visibility as to where data resides, data security technologies such as encryption are required to protect corporate data in a location-agnostic manner.

Next year will bring new and increasingly complex challenges when it comes to data protection for organizations around the globe. Without a doubt, healthcare organizations will need smarter, better ways to approach data security. Encrypt everything, embrace a zero-trust model, protect patient data at every turn, and implement a strong multi-cloud key management strategy; these should be the cornerstones of your corporate security strategy.

For more key findings, download the Thales 2020 Data Threat Report-Global Edition.