Security remains a top concern for healthcare IT professionals

There’s near unanimity among healthcare IT professionals—security is at, or near, the top of their lists of concerns.

Perhaps it would seem that there are more complex challenges for these executives. But hardly any issues are as pervasive or as insomnia inducing.

As healthcare organizations have now widely adopted electronic information systems, that has increased the risks for protecting sensitive patient data. Hackers have learned to monetize their attacks by encrypting data and asking for ransoms. As organizations use more medical devices controlled over networks, they find they are more susceptible to hacking, perhaps endangering patients’ lives.

Those and other vulnerabilities, and the importance of protecting them, strongly influence HIT executives—more than nine out of 10 respondents, on average, said protecting health information and data security was either extremely important (73 percent) of respondents or very important (20 percent).

HIMSS19_Chart-8.jpg

The study was conducted by Health Data Management and SourceMedia Research, the research arm of HDM’s parent company. A total of 160 responses, primarily from provider organizations, were received in late 2018.

Results from the data show that respondents believe their efforts are having an impact on protecting data. Some 38 percent of respondents say they believe their organizations are extremely effective in protecting health information and data security. Another 43 percent say they are very effective with their security efforts.

Over the last several years, large organizations have ramped up security efforts. Health payers and integrated delivery systems have the wherewithal to hire information security personnel and consultants, as well as implement more information technology systems to detect and prevent potential intrusions.

Large providers ramped up efforts after a series of large cyberattacks that exposed the records of millions of consumers in 2015. Those included breaches of Anthem Blue Cross (78.8 million consumers); Premera Blue Cross (more than 11 million consumers); and Excellus BlueCross BlueShield (more than 10 million consumers).

However, smaller healthcare organizations, such as stand-alone community hospitals and small group practices have been increasingly victimized by attacks in recent years, with hackers finding that they have less security personnel in place and have less sophisticated information technology to protect them.

In a recent roundtable conducted by the College for Healthcare Information Management Executives (CHIME) on its Most Wired survey results, participants acknowledged variability in provider sophistication regarding security. HDM published a report on the roundtable written by Candace Stuart, CHIME’s director of communications.

Degrees of maturity for security programs across the industry vary, contends Ken Bradbury, senior vice president and chief technology officer at The HCI Group. “Cybersecurity within healthcare is a high priority, but I don’t think there is a clear understanding of all of the prerequisites of achieving security compliance and having a strong security program.”

Results from the HDM survey showed that respondents believe some components of their IT systems were more vulnerable than others.

In fact, the biggest areas of vulnerability involve technology used by front-line staff, particularly mobile devices and email.

For example, some 45 percent of respondents said they believe that email is one of a significant threat to data security, saying it was either very threatening or extremely threatening.

Similarly, mobile device pose the second largest threat to respondent organizations. Some 18 percent of respondents say they are extremely threatening to data security, with another 25 percent say they are very threatening.

Internet of Things devices, which can be connected to medical organizations' networks, also are recognized as a risk by survey respondents. A total of 38 percent of respondents say IoT devices are either extremely threatening or very threatening to data security.

Conversely, respondents said they are less concerned about IT over which they have more direct control. Those include applications (25 percent either responding very or extremely threatening); cloud-based systems (27 percent); networks (24 percent); or servers (23 percent).

Vulnerabilities related to the use of email and personal devices highlight the need to increase educational programs, contends Pamela Arora, senior vice president and CIO at Children’s Medical Center of Dallas. At her facility, that includes educating all staff about cybersecurity dangers and best practices. “Not only is it awareness around the technical side but also having to ensure that they are trained all the way down to staff members that their role is critically important,” she says.

Julie Hull, vice president of operations, Cerner KC One Health innovation Alliance at Truman Medical Centers, says medical devices represent significant security challenges because they require staff with knowledge about the devices in addition to understanding security and healthcare. “Today the market is woefully lacking in those types of skills,” she adds. “In that case we have organically grown it with multidisciplinary teams that have formed and organized around it.”

For reprint and licensing requests for this article, click here.