By Clive Riddle, April 16, 2015

Given the Anthem health plan hack in February, and other healthcare organizations that have fallen victim to breaches as of late, surveys offering threat assessments are certainly of interest. Vormetric just released the twenty-page 2015 Vormetric Insider Threat Report, which includes healthcare industry specific data.

How does Vormetric define Insider Threats? "Insider threats are caused by a wide range of offenders who either maliciously or accidentally do things that put an organization and its data at risk. The insider threat landscape is becoming more difficult to deal with as the range of miscreants moves beyond employees and privileged IT staff. It now includes outsiders who have stolen valid user credentials; business partners, suppliers, and contractors with inappropriate access rights; and third-party service providers with excessive admin privileges. Unless properly controlled, all of these groups have the opportunity to reach inside corporate networks and steal unprotected data."

Vormetric's 2015 Insider Threat Report was conducted online by Harris Poll during fall 2014, with 818 global respondents who work full-time as an IT professional with major influence in decision making for their company’s IT. In the U.S., 408 ITDMs were surveyed among companies with at least $200 million in revenue with 102 from the health care industries, 102 from financial industries, 102 from retail industries and 102 from other industries.

Vormetric reminds us that hacker attraction to healthcare is fueled by black market “healthcare records selling for tens to hundreds of dollars, while U.S. credit card records sell for 50 cents or less.” Alan Kessler, Vormetric tells us "healthcare data has become one of the most desirable commodities for sale on black market sites, yet U.S. healthcare organizations are failing to secure that data. An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk. What's needed is for healthcare organization to realize that compliance is not enough, and to implement the controls and policies required to put the security of their data first."

Among healthcare organization respondents to their survey, 48% encountered a data breach or failed a compliance audit in the last year. 26% of healthcare respondents reported that their organization had previously experienced a data breach. 54% reported compliance requirements as the top reason for protecting sensitive data, and 68% rated compliance as very or extremely effective at stopping insider threats and data breaches.

63 percent of healthcare IT decision makers report that their organizations are planning to increase spending to offset data threats, which was the highest of any segment or region measured in the report.

When asked about the most important reasons for securing sensitive data, the top three responses from the healthcare sector were compliance (55%), implementing best practices (44%) and reputational protection (41%). In comparison to other business sectors the compliance response was 5 percentage points above other industry averages.