- Approximately 80 percent of surveyed health IT executives and professionals report that employee security awareness is their greatest concern regarding healthcare data security.
The 2017 Level 3 Healthcare Security Study was conducted by HIMSS Analytics and sponsored by Level 3 Communications, Inc. HIMSS interviewed 125 individuals who worked in or alongside the IT department at a healthcare provider organization.
Half of the respondents – 49 percent – were a director or manager of IT, while 30 percent were listed as IT security officers or other IT positions.
Exposure from partners or third-parties was the top concern for nearly 69 percent of those surveyed, followed by securing wireless or BYOD devices (54 percent of respondents) and a lack of actionable intelligence (36 percent of respondents).
HIMSS Analytics Senior Director of Research Services Bryan Fiekers maintained that security “cannot become an out-of-sight, out-of-mind problem."
“While the research uncovered only a 'modest' concern around the prospect of a security breach within hospital organizations over the next 12 months, providers are looking for closer partnerships with their network providers,” Fiekers said in a statement. “My interpretation of the findings is that healthcare organizations must remain vigilant against cyber security threats and leverage all of their resources effectively to ensure every individual knows their role.”
Competing priorities and budget concerns were listed as the top barriers in adopting a comprehensive security program, with 79 percent and 74 percent of respondents citing them respectively.
Impact to clinical workflows, employee awareness and training, and in-house expertise were also top five security program barriers.
One-third of respondents also said they had a high level of concern towards a breach impacting patient care at their organization, according to the survey. Respondents were asked to rank their level of concern on a scale of 1 to 7, with 1 being “no concern at all,” while 7 was a “high level of concern.”
Approximately one-quarter of those surveyed ranked their concern as a 6, while 12 percent said their concern was a level 7.
The majority of organizations are employing multiple practices to mitigate data security risk. Eighty-seven percent of those surveyed said they utilize remote access/secure access controls, with nearly 85 percent reporting their organization uses internal/employee security awareness program.
Security consulting services (i.e. vulnerability assessment, penetration testing), next-gen firewall (i.e. sandboxing, data loss prevention, application control), and Distributed Denial of Service (DDoS) mitigation were also listed by over half of responses as a mitigation technique.
When it comes to protecting the organization from potential data breaches, 34 percent of respondents said they use Cyber Threat Intelligence (CTI). Just over 31 percent said their organization uses next-gen firewall, and 27 percent stated their entity utilizes DDoS mitigation for mitigating breaches.
Level 3 Global Security Services SVP Chris Richter explained that healthcare data security threats are only going to continue to increase as bad actors keep seeking out PHI.
“Aside from fostering and maintaining a culture of security, which includes regular employee security training, healthcare organizations should implement a security governance framework and appropriate technology controls,” Richter said in a statement. “These include threat intelligence, DDoS mitigation and next generation firewalling and sandboxing – all critical next steps for healthcare providers to secure their networks."
As healthcare providers look to implement necessary security techniques, employee training and regular education cannot be overlooked.
The Identity Theft Resource Center (ITRC) and CyberScout found in a survey released earlier this year that one of the leading causes for healthcare data breaches was employee error or negligence.
There were 43 reported incidents that exposed 1,183,893 records, the report found. In comparison, the second leading sector for employee negligence was the government/military, which had 14 breaches and exposed 35,800 records.
“With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data,” CyberScout CEO and Vice Chair of IRTC’s Board of Directors Matt Cullina said. “In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution."