"There's an evolving thinking among CIOs that one of the benefits of going to a public cloud is you avail yourself of state-of-the-art security that you could probably never replicate with your own IT organization," Safavi said.
Safavi said the healthcare industry is also looking at fighting fire with fire, so to speak, by using blockchain technology -- just as bitcoin does -- as a distributed, peer-to-peer database in which to store sensitive information.
"The nature of blockchain... requires both public and private encryption keys [that make it] virtually impossible for someone to get a nugget of data," Safavi said. "That's the reason why it's used for cryptocurrency."
With more than 175.5 million records lost in healthcare breaches and new threats emerging every day, the industry should act quickly to safeguard data that can't be resecured once it's stolen, Gallagher said.
Sharing is caring
One problem is that organizations may have no idea that data has even been compromised. That points to the need for intrusion-detection systems (IDS) and security information and event management (SIEM) software, which can monitor networks for malicious activity and alert administrators when something is detected.
Additionally, the healthcare industry needs access to better resources on threat data from local and federal law enforcement agencies, Gallagher said.
"If I was asked by a healthcare CIO where to go for cyberthreat data, I've got to give them a list of at least five or six sources, maybe more -- whether it's the FBI or homeland security... or some private companies," Gallagher said. "There are lots of different sources for the data, and sometimes it's in different formats."
There have been several efforts by Congress to enact a law that would foster sharing of security information. The latest was the Cybersecurity Information Sharing Act (CISA), which was finally incorporated into an Omnibus spending bill and signed into law last December. CISA paves the way for sharing data on cyberthreats among seven government entities and local police.
However, Rod Piechowski, senior director of health information systems at HIMSS, noted that the problem of data security goes beyond what the government or sophisticated software can do, and he said healthcare organizations must focus on educating members of their medical and administrative staffs.
All it takes is one person opening up an email attachment for hackers to gain access to hospital systems. Educating employees on how to detect and report suspicious emails is crucial, said Piechowski.
"I would reiterate that security is everybody's business. It's not just up to the IT department," Piechowski said. "If you work with electronic devices, it's your responsibility too."
Sign up for CIO Asia eNewsletters.