Study Shows Healthcare IT Security is in a Shocking State

Two recent studies confirm that the healthcare industry has not invested sufficiently in IT and the general state of healthcare cybersecurity is dire.

There has been a marked rise in reported data breaches in recent years and while the increase has been, in part, attributed to increased reporting of security breaches – as required by HIPAA and HITECH – there are two areas of healthcare IT security that must be immediately addressed; certainly if HIPAA violations and penalties are to be avoided.

The first is training. Data breaches have many causes, although a substantial percentage result from carelessness. Doctors and nurses unaware of the rules covering the disclosure of PHI are also inadvertently causing HIPAA breaches. Hospital administrators are improperly disposing of paper records and failing to securely delete electronic health records. Physicians are still leaving laptops containing unencrypted PHI in plain sight in unattended vehicles. Tackling these issues will prevent the majority of data breaches reported to the OCR each year.

The Future of Healthcare Data Security Does Not Look Bright


A new data security report released by credit reporting company Experian, predicts that 2014 will be a very bad year for healthcare data breaches. Hackers are already breaking through hospital defenses to steal healthcare information and Social Security numbers and the scale of the attacks is alarming.

The SANS Institute recently published a Healthcare Cyber Threat Report which helps to quantify the current threat. The institute used data from threat intelligence vendor, Norse, to determine the volume of attacks on the healthcare industry.

Norse recorded approximately 50,000 “unique malicious events” between Sept 2013 and Oct 2013, with the SANS Institute determining that 72% of those cyberattacks were on healthcare providers and 10% on Business Associates.

“Millions of compromised healthcare organizations, applications, devices and systems [are] sending malicious packets from around the globe,” said Barbara Filkins, a Senior Analyst at the SANS institute. The attacks took place on different parts of the system, with VPNs the major site of the breach (33%), connected endpoints such as digital video feeds and radiology imaging software accounting for 17%, Firewalls 16% and routers 7%.

The problem is not only the lack of protections, but when they are put in place, security vulnerabilities are allowed to exist and are not picked up in a risk assessment. Firewalls were cited as a problem area, as they have public-facing interfaces that can be bypassed with a user name and password. In many cases, healthcare providers do not change default login information meaning anyone can gain access. Those defaults can be found with a simple online search in Google.

Default Logins are Not Being Changed

It is not just Firewalls. Video security systems and network-attached devices all have these security flaws if factory settings are not changed. The same is true for mobile health applications. Even basic security checks are often not conducted. Were this to be the case, IT professionals may be alarmed to discover how easy it is for PHI to be viewed by unauthorized individuals.

The sad fact is that healthcare IT protections are lacking or substandard, and fail to provide the level of protection required under HIPAA rules. Many measures are simple to implement and are basic security standards, and it is these areas which need to be addressed first. Even making these relatively minor changes can have a big impact on data security and can greatly reduce the probability of suffering a data breach.

Implementing these basic security standards may also be sufficient to prevent a fine for non-compliance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.