The majority of respondents represented IT staff working in some form of clinical setting, including a hospital (32%), physician group practice (12%), rural or critical access hospital (8%) and individual provider (6%). There were also several ancillary services represented, including health plan/payer (17%) and lab and radiology (12%).
"While these respondents primarily represented the IT side of health care, their biggest driver for information security is regulatory compliance," says survey author Barbara Filkins. "There was also a common theme on 'securing the human,'
emphasizing a need for technical, clinical and compliance staff to work together for effective risk management and compliance."
In the survey, concerns over negligent insiders were a primary among 65%, followed by lack of investment in user awareness (53% selected this option as among their top three concerns). When asked about the effectiveness of their controls, only 40% rate "workforce training and awareness" as effective, while nearly 30% consider it their least effective control.
Respondents are also concerned about the security of their electronic medical records/electronic health records as well as personal health record or PHR systems. PHRs can be "untethered" from the more regulated electronic health record systems and not subject to the same regulatory protection and control.
"Despite these concerns, organizations are accepting the risks for the convenience of mobile and cloud technologies in delivering care to patients,"
Results will be pre-released during the SANS HealthCare Cyber Security Summit, at the Hyatt Fisherman's Warf in San Francisco, Oct. 23, 2013.
There will also be a webcast for those not attending the summit on Wednesday, October 30, at 1 PM EDT, where SANS releases the full set of results. Register for the webcast at http://www.sans.org/info/141255
Those who register for the webcast will be given access to an advanced copy of the associated report developed by Barbara Filkins.
The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 25 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community.