After a seemingly nonstop series of breaches affecting health care organizations, the software giant announces plans to engage with IT security professionals in the industry.
Overflowing with sensitive personal data and payment information, health care systems are a prime target for hackers.
In October, Accenture estimated that over five years, cyber-attacks will cost U.S. health systems $305 billion
in cumulative lifetime revenue. One in 13 patients can expect to have their personal information stolen, including financial details or Social Security numbers, during that time.
Early last year, health insurance provider Anthem reported a data breach affecting 80 million users
. Around the same time, fellow health insurer Premera disclosed a breach
affecting up to 11 million people.
Faced with these risks, Leslie Sistla, chief information security officer of Microsoft Worldwide Health, is calling for "security intervention in health care."
One industry's approach to data security can fall short in another industry, particularly health care, where personal, health and financial information often intersect. "The natural tension between safeguarding data and giving clinicians quick access to patient records, often in life-or-death situations, means the practices that serve other industries can't just be mimicked in a healthcare setting," said Sistla in a Feb. 24 advisory
announcing a new outreach effort by her company.
In addition to new investments in security research and development, Microsoft intends to provide health care IT professionals with strategies and guidance with a new blog series. "In future posts, we'll look at how to mobilize entire organizations, from the C-suite to the clinic, to support a shared culture of cybersecurity," she pledged.
The company will be also sharing its findings, including "some surprising gaps in the kinds of data protected under HIPAA [Health Insurance Portability and Accountability Act]," along with recommendations on balancing security with the data accessibility demands of running a health care organization.
"Protecting data isn't just about responding to hackers or complying with regulatory standards. Organizations that have focused on reactive measures must expand their efforts to include proactive approaches as well," said Sistla, hinting that hospitals and health insurers can do more to ward off threats to patient data.
"This includes routine exercises designed to test their own systems' vulnerabilities," Sistla continued. "It includes taking measures to reduce the loss or theft of laptops and other devices containing data, which account for 65 percent of the data-breach incidents reported to the U.S. Department of Health and Human Services." In 2012, an Indiana Cancer Group employee's stolen laptop
compromised the data of 55,000 patients and workers associated with the 21-location health care network.
"The healthcare industry may be uniquely vulnerable now, but at Microsoft we're convinced that there's never been a better opportunity to set a new standard for security and privacy," Sistla said.
A recent TD Bank survey of 300 senior health care finance executives suggests that Microsoft's timing is right. When asked to identify three key areas of capital spending for 2016, data security (41 percent) followed closely behind existing facilities (44 percent) and technology in general (58 percent).