Lack of Security Upgrades Threaten Health IT Infrastructure

February 20, 2018 - Healthcare organizations are spending more money upgrading their health IT infrastructure but may not be making the complementary digital security upgrades, according to a recent AJMC study.

The study found that network attacks, while less frequent than device or paper record theft, affected millions of patients and were more damaging overall.

“This study's results showed that paper and films were the most frequent mode or location of data breaches,” said report authors. “However, although network servers were among the most infrequent locations of data breaches, breaches of this type impacted the most patients overall.”

Despite the implementation of more sophisticated health IT systems, security breaches are still prominent enough to be a severe threat to healthcare organizations. Hospital type and size played more of a role in cyberattack vulnerability over health IT infrastructure sophistication and security methods, the study found.

This means that more advanced IT infrastructure security will protect against cyberattacks that target hospitals based on their prominence. Entities have the responsibility to deploy security solutions that will protect their entire network.

Physical healthcare data backup methods put patient data at risk because the physical record can be stolen and will be unrecoverable. Offsite physical backups run the same risk as keeping data on premises: if the offsite facility is comprised, the backup is gone. 

Traditionally, physical backups such as tapes were considered more secure than storing data somewhere in the cloud. However, cloud storage vendors have been working with healthcare organizations to produce HIPAA-compliant cloud backup solutions, and these solutions are becoming increasingly popular.

Cloud-based data storage and data backup helps protect more data. If firewalls are breached, the cloud holds more patient data, leaving a larger surface area vulnerable to data theft.

“Hospitals should conduct routine audits to allow them to see their vulnerabilities before a breach occurs,” the study concluded. “Additionally, information security systems should be implemented concurrently with health information technologies. Improving access control and prioritizing patient privacy will be important steps in minimizing future breaches.”

Digital transformation puts pressure on health IT infrastructure and organizations can sometimes spend more time and money making sure their new tools work correctly. This leaves security gaps that can be exploited.

A recent 451 research report came to a similar conclusion. Healthcare organizations should expect significant changes in their IT infrastructure with new solutions being deployed, the research showed.

“As digital transformation inherently drives organizations into a data driven world, 94 percent of organizations are using sensitive data in cloud, big data, IoT, containers or mobile environments – this is creating new attack surfaces and new risks for data that need to be offset by data security controls,” report authors explained.

Data breaches will continue to increase if organizations do not increase their network security budgets to accommodate more advanced threats. Organizations are not prioritizing increased spending on data at rest security, according to the report.

“Successful breaches have reached an all-time high for both mid-sized and enterprise class organizations, with more than two-thirds (67 percent) of global organizations and nearly three fourths (71 percent) in the U.S. having been breached at some point in the past,” said 451 report authors. “Clearly, doing what we have been doing for decades is no longer working. The more relevant question on the minds of IT and business leaders, then, is more direct: ‘What will it take to stop the breaches?’”

Testing security solutions and automating security tasks whenever possible will alleviate IT strain as IT infrastructure continues to grow. This approach can also help entities discover security threats more quickly. Automating threat detection and increasing network visibility and control will help organizations lower their vulnerability to attacks.