Healthcare IT Security Overspending – What Are the Culprits?

By Rich Staas

Director of Client Services, NPI

June 23, 2016

Interested in learning more about NPI’s services?

Contact Us

Artwork Courtesy of

The healthcare industry has always been a target for data breaches, second only behind retail. However, research suggests that healthcare organizations are eclipsing retailers when it comes to cybercriminals’ focus. In research published by IBM, the healthcare industry represents a growing percentage of all data breaches – up from 5 percent in 2013 to 15 percent in the first half of 2016.

The opportunity for cybercriminals to breach data stores within the healthcare organization is shockingly large. First, there’s the personnel problem. A large number of people (including temp employees) need access to patient records to do their jobs across the healthcare ecosystem. Then, there is the issue of mobility. Since 2010, over 65 percent of all healthcare data breaches have come from mobile device theft or loss, according to the Healthcare Breach Report from Bitglass. Last is the fact that many medical devices and equipment cannot be easily scanned for malware or security threats.

For these reasons (and numerous others) healthcare organizations are spending more than ever on information security – which means many are overspending. Here are some of the factors contributing to overspending in the area:

  • Increased pricing disparity and premiums. Pricing and discounts for IT security solutions are all over the map. Larger players like Dell SecureWorks are renowned for charging unfair premiums, while others like Symantec and Proofpoint are known to offer sub-optimal pricing and discounts. Buyers need to establish fair market value pricing and discount targets as a baseline for negotiations.
  • Entering myopic vendor agreements. One-year deals have become all too common. These shortsighted contracts often take valuable discounts off the table.
  • Failure to benchmark VAR pricing. Vendors rarely sell direct in the security industry, and buyers rarely benchmark VAR pricing and terms. It’s a recipe for overspending.
  • Over/under-investing in support. The degree of support required for different pieces of the IT security puzzle varies. For firewalls, many enterprises require access to higher-level support resources. On the other hand, 24/7 support for multi-factor authentication and proxy cache security is rarely needed.
  • Lack of competitive pressure on incumbents. Vendors like Cisco, Check Point, Palo Alto Networks and F5 Networks have done a good job of entrenching themselves in the enterprise IT infrastructure – with little incentive to offer competitive pricing, discounts and terms during renewals. Buyers need to be aware of this and bring competition into every purchase and renewal (even if they don’t plan to switch vendors).