8 Security Categories Healthcare Providers Need to Improve On
A new survey by HIMSS finds that many providers don’t even cover the basics of IT security.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltea5feb5d77799a9f/64f0da1c5f0111a1fd0361e3/Slide-1-HealthCareCoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
The Healthcare Information and Management Systems Society (HIMSS) has laid it out in black and white for heathcare providers to see: A recent survey by HIMSS found that too many healthcare providers are failing to deploy security basics, such as antimalware tools, firewalls and encryption.
Lee Kim, director of privacy and security at HIMSS, says she’s troubled that more than 20 percent of acute facilities (hospitals are those associated with hospitals) are failing to use firewalls. Further, more than half of non-acute facilities (physician's offices, mental health facilities, etc.) are failing to encrypt data at-rest or data in-transit.
Even with something as basic as antivirus and antimalware tools, only 84.9 percent of acute and 90.3 of non-acute facilities are using these tools. Acute facilities are defined as hospitals that treat patients and conduct surgeries, while non-acute facilities are more long-term care units, assisted living or other facilities to care for elderly patients.
“I think our number for antivirus and antimalware has to be more in excess of 99 percent,” she says. “I would have felt much better if the acute facilities approaches a B-plus, but it was more like a B-minus.”
Kim says it’s been very challenging to get executives in the healthcare field to focus on security, even with numerous high-profile breaches.
“Traditionally healthcare providers are in the business of savings lives, so the IT security staffs have a difficult time competing for budget dollars,” she explains. “As recent as five years ago, you would hear people saying that people wouldn’t want to attack a health care facility because they didn’t believe anyone would want to do harm to the patients.”
Kim says these attitudes are changing slowly, but with such low scores on basic security techniques like using encryption, network monitoring and analyzing logs, she admits there’s a great deal of work ahead in the healthcare field.
Read on to see eight of the healthcare industry's most troubling infosec weak points:
Once again, the percentages are low. Only 68.1 percent of acute and 48.4 percent of non-acute providers are encrypting data in-transit. The numbers are also low for data at-rest. Only 61.3 percent of acute and 48.4 percent of non-acute providers are encrypting data at-rest.
Kim believes that with such a dangerous threat landscape, encryption should be as automatic as antivirus/antimalware and firewalls. For example, PGP encryption has been around for decades, as has S-MIME for encrypting email. A few years ago, providers might have said that encryption degrades network performance, but Kim says those concerns are not credible any longer now that hardware-based encryption is readily available.
Yet another troubling finding from a security perspective: Only 59.7 percent of acute and 61.3 percent of non-acute providers are using audit logs to track the history of patient health and financial records. By not having logs, providers have no way to determine if someone was snooping on a patient record or have documentation available in the event a question comes up as to whether or not patient data was leaked, lost, or stolen.
Intrusion detection systems are also not widely deployed, with only 57.1 percent of acute care and 41.9 percent of non-acute providers using an IDS as an early warning system. Kim says provider IT departments are simply not getting the resources they need to do the job. IDSes have become as routine as antimalware, firewalls or encryption.
Only 56.3 percent of acute care and 35.5 percent of non-acute care providers are deploying mobile device management (MDM). Kim says that (assuming the providers not using MDM do nevertheless have personal mobile devices deployed throughout their organizations), the lack of MDM introduces significant risk. She says health providers may have various levels of BYOD policies, but without MDM, security policies are not enforced properly, and lost or stolen devices cannot be remotely wiped.
The Healthcare Information and Management Systems Society (HIMSS) has laid it out in black and white for heathcare providers to see: A recent survey by HIMSS found that too many healthcare providers are failing to deploy security basics, such as antimalware tools, firewalls and encryption.
Lee Kim, director of privacy and security at HIMSS, says she’s troubled that more than 20 percent of acute facilities (hospitals are those associated with hospitals) are failing to use firewalls. Further, more than half of non-acute facilities (physician's offices, mental health facilities, etc.) are failing to encrypt data at-rest or data in-transit.
Even with something as basic as antivirus and antimalware tools, only 84.9 percent of acute and 90.3 of non-acute facilities are using these tools. Acute facilities are defined as hospitals that treat patients and conduct surgeries, while non-acute facilities are more long-term care units, assisted living or other facilities to care for elderly patients.
“I think our number for antivirus and antimalware has to be more in excess of 99 percent,” she says. “I would have felt much better if the acute facilities approaches a B-plus, but it was more like a B-minus.”
Kim says it’s been very challenging to get executives in the healthcare field to focus on security, even with numerous high-profile breaches.
“Traditionally healthcare providers are in the business of savings lives, so the IT security staffs have a difficult time competing for budget dollars,” she explains. “As recent as five years ago, you would hear people saying that people wouldn’t want to attack a health care facility because they didn’t believe anyone would want to do harm to the patients.”
Kim says these attitudes are changing slowly, but with such low scores on basic security techniques like using encryption, network monitoring and analyzing logs, she admits there’s a great deal of work ahead in the healthcare field.
Read on to see eight of the healthcare industry's most troubling infosec weak points:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024