Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/6/2016
12:45 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

8 Security Categories Healthcare Providers Need to Improve On

A new survey by HIMSS finds that many providers don't even cover the basics of IT security.
Previous
1 of 9
Next

Image Source: Pixabay

Image Source: Pixabay

The Healthcare Information and Management Systems Society (HIMSS) has laid it out in black and white for heathcare providers to see: A recent survey by HIMSS found that too many healthcare providers are failing to deploy security basics, such as antimalware tools, firewalls and encryption.

Lee Kim, director of privacy and security at HIMSS, says she’s troubled that more than 20 percent of acute facilities (hospitals are those associated with hospitals) are failing to use firewalls. Further, more than half of non-acute facilities (physician's offices, mental health facilities, etc.) are failing to encrypt data at-rest or data in-transit.

Even with something as basic as antivirus and antimalware tools, only 84.9 percent of acute and 90.3 of non-acute facilities are using these tools. Acute facilities are defined as hospitals that treat patients and conduct surgeries, while non-acute facilities are more long-term care units, assisted living or other facilities to care for elderly patients.

“I think our number for antivirus and antimalware has to be more in excess of 99 percent,” she says. “I would have felt much better if the acute facilities approaches a B-plus, but it was more like a B-minus.”

Kim says it’s been very challenging to get executives in the healthcare field to focus on security, even with numerous high-profile breaches.

“Traditionally healthcare providers are in the business of savings lives, so the IT security staffs have a difficult time competing for budget dollars,” she explains. “As recent as five years ago, you would hear people saying that people wouldn’t want to attack a health care facility because they didn’t believe anyone would want to do harm to the patients.”

Kim says these attitudes are changing slowly, but with such low scores on basic security techniques like using encryption, network monitoring and analyzing logs, she admits there’s a great deal of work ahead in the healthcare field.

Read on to see eight of the healthcare industry's most troubling infosec weak points: 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AnnaK746
50%
50%
AnnaK746,
User Rank: Apprentice
1/29/2017 | 3:33:36 AM
security
I also very much concerned with the question about the security of applications. I would not like to know that my data is using someone. It's not good. How can you protect myself? I can use applications developed by reliable companies https://itechcraft.com/custom-healthcare-solutions/ .But how can I find out which companies are reliable?
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/10/2016 | 7:26:54 AM
Online security
Increasiing and stepping up the game of online privacy is the key in remaining safe from those snooping eyes of the hackers and therefore it is essential to deploy military grade data protection tools like encryption, password protection and also securing your online activity and incoming traffic logs via a guaranteed secure vpn server. I use PureVPN as my vpn server because it has strict no logs policy and also offers 5 plus multi logins so that is a plus. 
patligalli
50%
50%
patligalli,
User Rank: Apprentice
9/29/2016 | 4:50:20 PM
2FA or MFA
Great article on recommendations and protecting patient data- author missed out on 2 factor technology which is critical. 

Mohammed 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/6/2016 | 7:25:30 PM
Irony
The irony is: To get medical/health information that you're fully entitled to, you have to jump through a zillion bureaucratic hoops.

Maybe I should hire a hacker to get my own medical information for me.  It'd probably be easier and possibly even more cost-effective than to deal with the dimwits in most hospitals' medical-records offices who lack basic critical-thinking skills and pay outrageous copying rates.  (One hospital I recently dealt with for a client: More than $0.75 per page!)
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.