- Healthcare chief information and information security officers indicate data theft and social engineering attacks are top network security concerns, according to new research.
A survey conducted by the College of Healthcare Information Management Executives (CHIME) polled nearly 200 members from healthcare organizations of all sizes, with 70 percent reporting from hospital/acute care facilities and integrated delivery networks/systems.
Healthcare IT officials reported social engineering and data theft caused more concern than cyber terrorism, IoT, organized crime, or insider threats. Social engineering attacks were the most common security threat across all organizations and ransomware was the most common security exploit.
Ransomware holds organization data hostage and demands payment in exchange for the return of that data. For healthcare organizations, ransomware is a cause for concern because organizations can face ramifications for violating HIPAA regulations.
Ransomware attacks have been a problem for healthcare organizations over the past year and the Department of Health and Human Services (HHS) released a HIPAA guidance earlier this year specifically addressing ransomware to help organizations prevent, detect, contain, and respond to threats.
According to HITSecurity.com, “the HHS guidance reminds healthcare organizations that there are aspects of HIPAA compliance that could be greatly beneficial in preventing healthcare ransomware attacks, as well as being able to recover from them.”
Health IT officials declared data exposure as their top vulnerability, making data theft a top security concern. Poor authentication and security misconfiguration were two of the top reasons organization data was at risk.
“The survey data is representative of what we are hearing from our colleagues across the industry. Cyber criminals are attacking us from nearly every angle,” said Marc Probst, chair of the CHIME board of trustees and CIO at Intermountain Healthcare. “We have to be extremely vigilant in educating our staff and our business partners on how to minimize the risk of an attack. We are only as safe as the weakest link along our networks.”
The survey indicated that most organizations would perform better if their system or data was targeted by an attack compared to a year ago. Having systems in place to prepare for a security incident was the biggest improvement area with discovering a security incident, and recovering from a security incident following close behind.
Survey respondents expressed a greater need for assistance from federal agencies to improve information sharing between healthcare organizations, with nearly 65 percent declaring they were somewhat confident or not confident at all that federal legislators fully understand the importance of healthcare data security enough to advocate for the right initiatives.
Healthcare IT officials think the federal government should develop tools for providers of different sizes and level of resources because smaller organizations with limited resources don’t typically have the same needs as larger organizations. Respondents also called on lawmakers to adopt incentives that encourage greater information sharing, including protecting organizations that voluntarily work to improve security across the delivery system from punitive government audits.
“We are all in this together,” Probst said. “New payment and delivery models are creating a more connected healthcare system than ever before, but we need our partners in the federal government to understand the risks that are out there and to work with us on finding common sense solutions.