HIMSS Study Reveals Alarming Healthcare Security Vulnerabilities

The Healthcare Information and Management Systems Society (HIMSS) has published the results of its annual healthcare cybersecurity survey.

The report shows that healthcare organizations are employing a variety of measures to improve their security posture and keep sensitive data protected. However, many organizations are failing to employ basic cybersecurity controls to prevent unauthorized accessing of PHI. Should PHI be accessed by unauthorized individuals, many healthcare providers would be unable to determine that a breach had occurred.

The good news is healthcare cybersecurity defenses are improving. Almost 71% of organizations surveyed said their network security has improved since 2015 and 61% said they had improved endpoint security.

However, the survey has revealed that many healthcare organizations are failing to employ even basic security measures such as antivirus and anti-malware software. According to the study, 15.1% of acute care providers and 9.7% of non-acute care providers did not use anti-virus or anti-malware software.

Cyberattacks on healthcare organizations have increased in recent years, in part due to the value of the data healthcare providers store. However, a number of healthcare providers are making it too easy for hackers to gain access to data. The study shows that 21.8% of acute care providers and 9.7% of non-acute care providers do not use firewalls.

Many cyberattacks take advantage of security vulnerabilities, yet a surprising number of healthcare organizations are failing to address those vulnerabilities. 38.7% of acute care providers and 58.1% of non-acute care providers did not have patch and vulnerability management policies in place.

Should the security perimeter be breached, many healthcare organizations would not be aware that their defenses had been penetrated. 46% of surveyed organizations did not have an intrusion detection system and 47.3% did not use network monitoring tools.

Even though it is a requirement of HIPAA to maintain PHI access logs and monitor those logs for improper access, 40% of organizations were not doing so. A similar percentage of healthcare providers were not encrypting PHI in motion, even though there was a high risk of data being intercepted by malicious actors. Encryption was only used for data in transit by 64% of surveyed organizations.

The study results show that healthcare organizations are relying on a very limited range of security tools to keep PHI protected. In the most part this is due to a lack of cybersecurity personnel and severe budget restrictions, although almost half of respondents said there were now simply too many emerging and new threats. Of course, that does not mean the door should be left wide open.

The HIMSS 2016 Cybersecurity Study

The survey was conducted between February 15 and May 15, 2016. HIMSS received 183 completed surveys from U.S. healthcare organizations, although the report focused on the 150 responses received from U.S. based healthcare provider organizations. 119 of those organizations were acute care providers (healthcare systems and hospitals) and 31 were non-acute care providers (home health agencies, mental health facilities, physicians’ offices etc.)

In order to qualify for the survey, respondents were required to play a role in their organization’s cybersecurity program (Corporate and facility CIO’s, CISO’s, CSOs, compliance/security officers, IT managers etc.)

The HIMSS 2016 cybersecurity survey can be viewed/downloaded on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.