HIMSS Releases 2015 Healthcare Cybersecurity Report

297 healthcare leaders and information security professionals have recently given their opinions to HIMSS on the state of healthcare cybersecurity, with the results of the survey recently published in HIMSS’s 2015 Cybersecurity Report.

The release of the report coincided with the Chicago Privacy and Security Forum event between June 30 and July 1 of this year. The report highlights a number of concerns about cybersecurity; perhaps the most pressing being the sheer shale of the current attack surface. Hackers are breaking through security defenses left, right and center; but more worrying is the fact that they have been doing that for a number of months, and are already inside many computer systems.

Healthcare Professionals are Concerned Their Protections may not be Enough


Numerous major breaches have affected tens of millions of employees, consumers and patients over the course of the past few months. New data breaches are being discovered on an almost daily basis and no industry appears to be safe from attack.

Hacking groups are (allegedly) being financed by foreign governments, and employees are snooping on patients and are selling their data. It is no surprise that IT professionals, CIOs and CISOs are concerned given the current threat landscape and how rapidly it is changing: 42% said that there were now so many threats it was impossible to track them all, and half of respondents felt their organizations only had an average level of protection.

HIPAA requires multi-layered defenses to be put in place to secure Protected Health Information. The survey indicates an average of 11 technologies are employed by each organization to keep data secure, and half of the respondents said they now needed full time staff to manage information security.

A Wake-Up Call for the Healthcare Industry


HIMSS Vice President of Technology Solutions, Lisa Gallagher, said “The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats.”

Two thirds of respondents said they have suffered recent data breaches, even though at least 50% of the respondents had addressed cybersecurity threats with improved network security measures, endpoint protections, data loss prevention measures, disaster recovery policies and IT continuity measures.

Gallagher went on to say, “Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means incorporating threat data, and implementing new tools and sophisticated analysis into their security process.” At least two thirds of respondents will know all too well how important it is for defense strategies to be adjusted.

Security breaches are now an inevitability, and healthcare organizations have had to develop polices to deal with the increased threat and must install software that can identify breaches quickly. At least half of respondents had installed the necessary systems to be able to identify data breaches when they occurred and more than half of respondents thought they were effective.

The survey asked who identified breaches when they occurred: Internal security teams identified data breaches according to 51% of respondents, while 50% said that internal non-security staff raised the flag. Only 17% said external security firms notified them of a data breach

One of the main ways breaches are detected is through network monitoring systems. 80% of respondents rated the security control as one of the main methods used for identifying security incidents. However, 13% said that they didn’t use anti-virus or anti-malware tools.

There are numerous threats, but phishing campaigns are one of the major worries. 69% of respondents said the threat from such attacks was driving forward the implementation of more robust security measures; however budgetary constraints are problematic. 64% said that a lack of skilled personnel was preventing better cybersecurity measures from being installed.

Further information can be found here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.