Security soars as a priority, but providers struggle to use tech for protection

Cyber security remains a high business priority for provider organizations, but security professionals say that a shortage of resources mean they they’re relying on a limited set of tools to fight threats.

Respondents from 87 percent of hospitals and 81 percent of other providers say security has grown in stature to become a key business priority. The survey, conducted by the Healthcare Information and Management Systems Society, sought responses from 150 security professionals in healthcare.

But the lack of overall progress in improving cyber security over the previous year is what most surprises Lee Kim, director of privacy and security at HIMSS, which conducted the survey with support from security firm FairWarning.

“This is the second year being pounded by attacks, but the needle hasn’t really moved in our numbers, and that worries me,” she says. “The hackers believe and have proven that we are low-hanging fruit. You don’t have to be a whiz-kid to break in and get all kinds of data. As long as they are successful, they’ll keep targeting us.”


HIMSS conducted the survey between February 15 and May 15, finding results highly reflective of a similar survey in 2015. Representatives of 119 hospitals and 31 non-acute care facilities participated.

Some 85 percent of surveyed hospitals and 90 percent of non-acute providers have anti-virus/malware software, and 78 percent of hospitals and 90 percent of other providers use firewalls. That’s not enough protection, HIMSS contends in the report.

“With tens of thousands of malware variants being generated each day, this lack of defense may leave an organization wide open to compromise,” the report notes.

Hospital data security professionals continue to fight for adequate budgets and resources, Kim notes.

On the non-acute side, which includes physician practices and other providers such as long-term care facilities, the data suggests they are paying more attention and money to address security, but there is not yet a trend of small providers fortifying their cyber defenses.

These providers are aware of looming threats, “but may not yet be aware of the pervasiveness of cyber attacks,” Kim says. Further, only 42 percent of surveyed non-acute providers have intrusion detection technology, so they may not even be aware that an attack has occurred.

Other types of information security protections being used in hospitals and non-acute settings are often not widely deployed. For example, 68 percent of hospitals use encryption for data in transit; only 48 percent of non-acute care providers do so.

Non-acute care providers considerably lag behind hospitals in the percentage that employ data encryption at rest, patch management, intrusion detection, network monitoring, user access controls, intrusion prevention systems, access control lists, single-sign-on technology, web security gateway, multi-factor authentication, messaging security gateway and data loss prevention applications.

But for most of these other protections, hospitals only stand at 60 percent or lower in using these tools, while considerably less than 50 percent of non-acute providers use these defenses.

Kim says the lack of encryption for data at rest or in transit is surprising. She speculates the reason may be that providers backing up data from their electronic health records to a remote location don’t realize the data could be vulnerable to attack.

Still, hospitals and non-acute providers recognize the threat posed by cyber attacks, with 80 percent of respondents saying their organization experienced a recent significant security incident. “Given the sensitivity to this topic, it is understandable that respondents may be reluctant to voluntarily share this information and the pervasiveness of attacks presented here may actually be under-represented,” according to the HIMSS report, available here.

In the past year, federal and local initiatives have increased the amount of information shared about cyber threats among industry stakeholders, although the level of sharing varies across the nation. For now, survey respondents see promise and barriers with threat data sharing programs.

About 40 percent of acute care respondents and 26 of non-acute providers believe there is not enough cyber threat intelligence to stay ahead of threats. About 13 percent of acute and non-acute respondents say there is sufficient intelligence, but contend that there is a lack of tools for effective use. And, about 12 percent of both respondent types report sufficient threat intelligence but lack of know-how to effectively use it.

For reprint and licensing requests for this article, click here.