Health IT security lags behind retail industry

The massive data breaches at Target and eBay could be a taste of what's in store for the healthcare industry, according to a report from security rating firm BitSight Technology.

The report "Will Healthcare Be the Next Retail?" looked at security across four sectors--finance, utilities, retail and healthcare and pharmaceuticals--based on data such as communication with a botnet, malware distribution or spam propagation.

Healthcare experienced the largest growth in security incidents during the study period--April 1, 2013, through March 31, 2014--but also the slowest response. Its response time was more than five days, while finance took about three-and-a-half days and retail and utilities each about four days.

Medical records sell for about $20 on the black market, according to the article, while credit card data brings about $1.

Finance had the best record in this analysis, which points out that it spends more on cybersecurity, tends to implement protections beyond those required by government and shares information on emerging threats.

Healthcare, however, is dinged for its poor compensation for security pros, based on a Ponemon Institute salary report, and for spending only enough to comply with HIPAA and other privacy regulations.

"Unlike the financial institutions and electric utilities ... the healthcare and pharmaceutical companies do not view cybersecurity as a strategic business issue," the report states. "They do not spend enough resources to protect their data, in part because cybersecurity has not received the executive-level attention it deserves."

The report echoes a SANS Institute finding that compliance does not equal security. That report found that networks and Internet-connected devices of healthcare organizations are being compromised at an "alarming" frequency.

Meanwhile, the U.S. Department of Health & Human Services has been slapping on ever-heftier fines, such as the $3.3 million penalty levied against New York-Presbyterian Hospital for a compromised server--the largest HIPAA settlement to date.

To learn more:
- find the report (registration required)
- here's the InformationWeek article