The healthcare industry, one of the most targeted for data breaches, is facing an escalating crisis. According to the White House, cyberattacks against the American healthcare system rose 128% from 2022 to 2023 and are not letting up. This alarming trend underscores the urgent need for better data security practices when it comes to moving and storing patient data.
More recent cyberattacks targeting the nation’s healthcare system have demonstrated the continued vulnerability of our hospitals and payment systems. In 2024, over 32 million patients in the United States have already been impacted by 275 healthcare data breaches. The extensive list of breaches highlights continuous concerns around data handling and storage practices in healthcare, demonstrating that despite advancements in technology, the sector remains vulnerable to data breaches.
Technology Sprawl is a Major Culprit
Technology sprawl is the key vulnerability in most cases. Also known as technical sprawl or IT sprawl, technology sprawl represents a significant challenge for organizations striving to maintain efficiency, security, and cost-effectiveness in their IT infrastructure. It often occurs because of system upgrades, merger and acquisition activity, as well as when different departments independently adopt new tools, software, hardware, or cloud services without a coordinated strategy. And when an application gets replaced, but the data still needs retained and accessed, it’s easy to leave the old application up and running for years. The resulting proliferation of technologies from these various factors can lead to a fragmented IT environment, where multiple tools perform similar functions, creating redundancy and complexity.
The effects can be profound, particularly when it comes to an organization’s security. As the portfolio of various systems and applications expands, the resulting fragmented IT environment can create significant vulnerabilities. Each additional software introduces potential entry points for cyber threats. The lack of standardized security protocols across these disparate technologies can lead to inconsistent defense measures, making it easier for attackers to exploit weaknesses and gain unauthorized access to sensitive data.
Technology sprawl often leads to reduced visibility and control over technology resources. As the number of systems and applications proliferates, maintaining a comprehensive view of the IT landscape becomes increasingly difficult. This lack of visibility can prevent security teams from identifying and responding to threats in a timely manner, further increasing the risk of data breaches. Without a cohesive strategy, critical security updates may be missed, and monitoring for suspicious activity across multiple platforms becomes a daunting task, leaving the organization exposed to potential breaches.
In the event of a breach, the disjointed nature of the infrastructure may also hinder the organization’s ability to effectively restore systems and recover lost data. The scattered placement of data across various platforms increases the likelihood of data loss or mishandling during a recovery effort. These challenges underscore the importance of addressing IT sprawl not just as an operational concern, but as a critical component of an organization’s overall security strategy.
How to Manage Technology Sprawl
Managing technology sprawl is essential for organizations seeking to maintain security, efficiency, and cost control within their IT environments. One of the most effective strategies is to standardize tools across the organization. By selecting core go-forward platforms and ensuring their consistent use throughout various departments and locations, organizations can reduce redundancy and streamline their technology stack. This approach not only simplifies management but also strengthens security, as standardized tools can be more effectively monitored and maintained with uniform security protocols.
Another critical step in managing technology sprawl is consolidating and integrating systems to work together seamlessly. When a smaller number of technologies can communicate and share data efficiently, organizations can eliminate silos and reduce the complexity of their IT infrastructure. Integration helps create a cohesive environment where information flows smoothly, making it easier to monitor, manage, and secure the entire system.
Finally, implementing strong governance policies is key to controlling technology sprawl. By establishing clear procedures for technology adoption and usage, organizations can ensure that any new tools or systems align with their overall IT strategy. Governance frameworks help prevent the unchecked proliferation of technologies by requiring approval and oversight for new implementations. This disciplined approach not only curtails unnecessary expansion but also ensures that security considerations are factored into every decision, reducing the likelihood of introducing new vulnerabilities into the organization’s IT environment.
Archiving is a Solution to Reduce the Portfolio
Legacy software can provide easy entry points for attackers, contributing to the financial toll of healthcare data breaches hitting an all-time high. The Cybersecurity and Infrastructure Security Agency (CISA) identifies the use of unsupported or end-of-life software as the number one “Bad Practice” that heightens risks to critical infrastructure, including public health and safety. Old applications, often kept running in read-only mode, are susceptible to corruption, breakdown, cyberattacks, and even internal threats.
Minimizing these vulnerabilities by decommissioning legacy software is a vital step in any healthcare organization’s security strategy. This isn’t always straightforward, however, since the records often still need to be retained and accessed for various uses.
Addressing the risks posed by legacy systems involves strategic planning and secure retention of legacy data. An active archive can be extremely helpful. It consolidates data from multiple sources into one secure location and offers a user interface with workflows for accessing and releasing data. When selecting an archiving solution, healthcare organizations should consider the expertise and track record of the partner, and closely evaluate their security policies, procedures, and certifications.
By adopting comprehensive risk management strategies and partnering with experienced data experts, healthcare organizations can fortify their defenses against the relentless tide of cyber threats. In an era where the cost of a data breach can cripple operations and tarnish reputations, proactive cybersecurity measures are essential to protect the lifeblood of healthcare—its data.
- 32M U.S. Patients Hit by Healthcare Data Breaches in 2024 YTD | Healthnews
- June 2024 Healthcare Data Breach Report – HIPAA Journal
- May 2024 Healthcare Data Breach Report – HIPAA Journal
- March 2024 Healthcare Data Breach Report – HIPAA Journal
About the Author
Dan Kompare has over 20 years of experience in Information Technology since graduating from Purdue University with a specialty in data integration and work in bioinformatics and EHR system design. Throughout the years, he’s had a hand in system administration, networking, security, data analytics, database administration, software development, and senior leadership over critical infrastructure. Today, Dan leads the Harmony Healthcare IT DevOps and Security teams.
Dan can be reached online at https://www.linkedin.com/in/dan-kompare-017a652/ and at our company website https://www.harmonyhit.com/
