Six Top Security Gaps in Healthcare Organizations

As the deadline of May 25, 2018, for General Data Protection Regulation (GDPR) compliance looms near, together with steep penalties for non-compliance of up to 4 percent of total worldwide annual turnover, any organization working with sensitive data of European citizens needs to identify and address security gaps to ensure compliance.

This includes, but is not limited to, Health and Life Sciences (HLS) organizations based in Europe, as well as multi-national organizations that work with sensitive information of European citizens. In this article, we look at the top six security gaps in HLS organizations globally and in Europe, and the relevance of these gaps to GDPR.

The Intel Security Readiness Program (SRP) enables HLS organizations to benchmark their security against peers and the HLS industry, see if they are lagging in security, and if so specifically where (which security capabilities). HLS organizations in this program participate in a 1-hour, complimentary, confidential workshop and afterwards receive an encrypted report that benchmarks their security against the HLS industry and peers, and maps their security capabilities and gaps to GDPR, enabling those organizations to see quickly how their security compares, what gaps they have, and the relevance to GDPR. This enables them to prioritize and remediate gaps and achieve compliance ahead of the GDPR deadline. The SRP involves high-quality security benchmark data, acquired by trained security assessors, working with verified HLS security teams, and HLS organizations that participate are able to update their data at any time.

To date, 147 HLS organizations are participating in this program, including 51 based in Europe. Below are listed the six weakest security capabilities in the Baseline tier of security maturity across the 51 HLS organizations based in Europe that are currently participating in the SRP. Each of these capabilities is listed together with its relevance to GDPR. This aggregate, anonymous, industry-level data does not include organizations outside Europe that may also be held to GDPR compliance, for example, multi-national organizations storing European citizen data.

Endpoint Data Loss Prevention (Discovery Mode)

Endpoint Data Loss Prevention (EDLP) is defined as the ability to discover and possibly also classify sensitive information at rest on clients or servers. In this mode, EDLP is only monitoring, logging and alerting, not blocking user actions. Running of EDLP discovery mode typically precedes configuring it in a prevention or blocking mode. Only 14 percent of HLS organizations have this implemented, 4 percent have it partially implemented, and a whopping 82 percent have nothing. This is relevant to GDPR Regulation 83 accidental loss of personal data.

Audit and Compliance

Audit and compliance are defined as the technology and processes in place to detect and remedy non-compliance with policy.  Only 31 percent have this capability fully implemented, 49 percent have it partially implemented, and 20 percent have no audit and compliance capability. This is relevant to GDPR Regulation 74 demonstrate compliance.

Endpoint Device Encryption

This capability is defined as client devices storing sensitive information have encryption of data at rest. Only 41 percent have this fully implemented, 35 percent have it partially implemented, and 24 percent have no endpoint device encryption. This is relevant to GDPR Article 32 1a encryption of personal data.

Security Incident Response Plan

Security Incident Response Plan (SIRP) is defined as documented plans in place covering what do to in the event of a suspected information security incident or breach. In the event of a breach or ransomware infection, having a SIRP can help the security team in the HLS organization to quickly and accurately coordinate both internal and external teams, and deliver real benefits in terms of minimizing disruption and impact. Only 41 percent have this fully implemented, 41 percent have it partially, and 18 percent have no SIRP. This is a foundational security capability applicable to all types of security incidents and is relevant to GDPR Article 32 1 protect confidentiality, integrity, availability of personal data.

User Awareness Training

This capability is defined as training of workers on security and privacy. It may be implemented at the time of hire, change of role, annually, or more frequently. It may also be triggered by specific events. More advanced training may use gamified techniques, for example for spear phishing, to help train workers on the job. Only 41 percent have this fully implemented, 45 percent have it partially, and 14 percent have no user awareness training. This is relevant to GDPR Article 39 awareness raising and training of staff.

Mobile Device Management

Mobile Device Management (MDM) is defined as the management of mobile client devices including smartphones and tablets. Often used with Bring Your Own Device (BYOD) personal devices. It's also used with corporate-owned mobile devices. Functionality may include a secure container for whitelisted business apps and data, with access control and encryption, as well as remote management including remote lock and wipe. Only 47 percent have this capability, 27 percent have it partially, and 25 percent have no MDM. This is relevant to GDPR Regulation 83 accidental or unlawful loss of personal data.

Take Action

Are you an HLS organization based in Europe, or a multi-national organization held to GDPR compliance? Bootstrap your GDPR compliance initiatives: join us for a 1-hour, complimentary, confidential SRP workshop to benchmark your security against peers and the HLS industry, and receive your encrypted report showing how your security compares, whether your security is lagging and relatively vulnerable, and if so where (what capabilities), and find out how your capabilities and gaps relate to GDPR in order to bootstrap your GDPR compliance initiatives. Intel and over 40 industry partners worldwide are currently running these workshops and will continue to do so through 2018. See Intel.com/SecurityReadiness for a concise overview, a sample report, global healthcare industry results, white papers, and how to engage.