- Healthcare organizations continue to prioritize PHI security, but often have limited resources – such as access to risk management software – according to a recent Netwrix survey.
Nearly all surveyed entities – 95 percent – said they do not use any software for information security governance or risk management. Furthermore, 68 percent of healthcare providers said they do not have a separate cybersecurity function.
The Netwrix 2017 IT Risks Report gathered information from IT professionals in 30 industries, including healthcare.
Netwrix CEO and Co-founder Michael Fimin explained that EHR security remains healthcare’s biggest concern.
“Despite the surge in malware attacks and the high price that healthcare records command on the black market, the healthcare industry still sees employees as the main threat to the security of their assets,” Fimin said in a statement. “Even though most employees do not have malicious intent, organizations need to gain visibility into user activity across the IT infrastructure."
Fimin added that entities need to have a clear understanding of what is happening in the environment to properly mitigate human error and to detect and respond to incidents faster.
The survey also found that 56 percent of surveyed healthcare organizations find that employees pose the biggest data security threat. Fifty-nine percent of respondents reported malware as the main cause of security incidents in 2016, while 47 percent said human errors were the top issue.
Forty-one percent of those surveyed said malicious activity was the main cause of system downtime in 2016, with nearly one-third reporting accidental or incorrect user activity as the top system downtime cause in 2016.
Endpoint security was listed as the main security focus (61 percent of respondents), followed by database security (56 percent) and virtual infrastructure security (47 percent).
Healthcare organizations also said that adhering to compliance areas was difficult. Thirty-six percent of respondents said they had compliance issues or experienced problems with passing audits. This is particularly unsettling as covered entities and their business associates must ensure HIPAA compliance, which includes being able to provide proper audit trails.
Respondents found that unstructured data stored in a third-party data center was the most neglected area, followed by BYOD and shadow IT.
Seventy-five percent of those surveys said a lack of budget was the main obstacle to combatting cybersecurity. A lack of time was also cited by 75 percent as a main obstacle, with 44 percent reporting insufficient participation from senior management as the top hurdle.
However, 56 percent said that their organization planned to invest in cybersecurity to ensure data breach prevention. One-quarter of those surveyed added that intellectual property theft was a future investment area, while 25 percent said that cyber-sabotage would be invested in.
Previous studies have also shown that a lack of employee security awareness can create data security issues.
HIMSS Analytics and Level 3 Communications, Inc. found in the 2017 Level 3 Healthcare Security Study that 80 percent of health IT executives and professionals said employee security awareness is their greatest concern regarding healthcare data security.
Sixty-nine percent of respondents added that exposure from partners or third-parties was the top concern, while 54 percent said securing wireless or BYOD devices was a key worry.
The study also showed that 79 percent of those surveyed said competing priorities was the top barrier to adopting a comprehensive security program, with 74 percent citing budget concerns as the main pain point.
“While the research uncovered only a 'modest' concern around the prospect of a security breach within hospital organizations over the next 12 months, providers are looking for closer partnerships with their network providers,” HIMSS Analytics Senior Director of Research Services Bryan Fiekers said in a statement. “My interpretation of the findings is that healthcare organizations must remain vigilant against cyber security threats and leverage all of their resources effectively to ensure every individual knows their role.”