While hospitals are ramping up security efforts to protect information, a large percentage of them are vulnerable to attacks on their web sites.

Less than two-thirds of hospitals participating in a recent survey reported having on-premise web application firewalls in place, and fewer than half reported having defenses in place to thwart distributed denial of service (DDoS) attacks.

While attacks to web sites in the past have just crippled public-facing Internet presences, these types of attacks might pose increased risks to patients’ protected health information, according to Akamai, a company that offers content delivery network services. Akamai commissioned the study, which was conducted by HIMSS Analytics with 94 hospitals participating.

While hospitals have focused on preventing attacks by hackers to gain protected health information from databases or to gain access to hospitals’ networks, less attention has been paid to the potential for accessing PHI through attacks to their web sites, says Ginny Carpenter, industry marketing manager for Akamai.

She contends that increased efforts to increase access to information, such as through patient portals, might raise the likelihood that an attack to a hospital’s web services might give hackers a way to access PHI.

Also, attacks on organizations’ web services could provide cover for an assault elsewhere against the hospital, Carpenter says. “A lot of hackers will use (DDoS) to mask another attack,” she says. “While security folks are mitigating that, they’ll do a web application attack at the same time. We know that hospitals don’t think they are at risk for DDoS attacks. We were surprised that some don’t see the need to protect themselves from web application hacking.”

Akamai said the results suggest that hospitals are, “in many cases, significantly under-protecting their organization.”

The survey found that only 61 percent of responding healthcare organizations have an on-premise web application firewall installed to protect their data centers. “This means a full 39 percent of organizations are not protected by the most traditional line of defense against web application attacks,” according to an analysis of the results.

Some 42 percent of respondents said they have implemented DDoS protection solutions, and 13 percent said they plan to implement such a solution. “That leaves 45 percent of healthcare organizations vulnerable to a type of cyber attack that is increasing in frequency and size across all industries, including healthcare,” the analysis said. “This is a significant threat to network availability.”

Hospitals traditionally have sought to insulate networks from hackers by limiting access through “closed networks,” Carpenter says. As meaningful use requirements have increased the need to share information and make it available to patients through portals, that affects that strategy and heightens the need for web security.

Also See: Five Cyber Security Predictions for 2016

Cloud-based web application firewalls are used by only 21 percent of respondents, and only 16.5 percent said they plan to implement one. Carpenter says cloud-based approaches are likely to grow in use because they are more easily updated than on-premise web application firewalls and because it is difficult for hospitals to find trained personnel to keep such on-premise firewalls updated to address current hacking threats.

Some 23 percent of responding healthcare organizations said they have no web security programs in place. “What makes this even more concerning is that nearly half of those respondents are from hospitals with 200 beds or more,” the Akamai analysis said.

“Overall, the survey indicates a troubling reality relating to cyber security in healthcare,” the Akamai analysis concluded. “Since web-based attack methods become more pervasive as the healthcare industry becomes more connected, healthcare organizations need to increase their sense of urgency and their investment in implementing fundamental web security solutions.”

However, Carpenter says hospitals are quickly becoming more aware of web security shortcomings, and she expects marked improvement in closing vulnerabilities in the next few months.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access