HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Poor Security Awareness Greatest Threat to Healthcare Data Security

A recent survey conducted by HIMSS Analytics for the 2017 Level 3 Healthcare Security Study has shown that the biggest concern regarding healthcare data security is a lack of employee security awareness.

The Level 3 Communications, Inc., sponsored survey was conducted on 125 healthcare IT executives and IT professionals, including directors, IT managers, IT security officers and other IT staff. The aim of the study was to provide insight into the main high level security concerns within the healthcare industry.

The majority of respondents – 85% – said they had education programs that taught employees to be more security aware, although that was not enough to ease concerns. A lack of employee security awareness was the top-rated concern, with more than 78% of respondents saying employee security awareness was one of the main concerns regarding exposure to threats.

Employees are considered the weakest link in the security chain and with good reason. As last month’s Healthcare Breach Barometer report from Protenus shows, insiders are the biggest cause of healthcare data breaches. In March 2017, 44% of reported healthcare data breaches were due to insiders – a mix of errors and deliberate breaches. In February, insiders caused 58% of breaches. While there are always going to be bad apples, all too frequently, mistakes are made that result in the door being opened to attackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Other key concerns were exposure from third-parties and partners, which was rated as a top concern by 69% of respondents. Securing BYOD and wireless devices was a major concern for 54% of respondents, while having a lack of actionable threat intelligence was a top concern for 39% of respondents.

When asked about the main barriers that hampered organizations’ attempts to develop a comprehensive security program, competing priorities was the main issue, closely followed by budgetary constraints, rated by 79% and 74% of respondents respectively. The impact to clinical workflows, employee awareness and training, and a lack of in-house expertise made up the top five.

The survey revealed the majority of organizations are using multiple risk mitigation practices, with 87% using remote access and secure access controls, 85% relying on security awareness programs for employees and 75% using security consulting services, vulnerability assessments and penetration tests to uncover potential weak points in their cybersecurity defences. Six out of ten organizations have now implemented next-generation firewalls and more than half of respondents have also implemented DDoS mitigation services (56%) and access cyber threat intelligence (55%).

When asked to rate their level of concern about experiencing a security breach in the next 12 months, only 1.6% of respondents said they had no concern at all. 36% said they had a high level of concern.

Chris Richter, ‎SVP, Global Security Services for Level 3, said “The security threats the healthcare industry is facing are real and they’re only increasing in volume and sophistication as bad actors continue to seek out coveted protected health information.”

Richter said it is important to foster and maintain a culture of security and to ensure employees receive regular security training, but additionally, “healthcare organizations should implement a security governance framework and appropriate technology controls.” Those controls should include “threat intelligence, DDoS mitigation and next generation firewalling and sandboxing.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.