JJ'Studio - Fotolia
A new cybersecurity study of hospitals and other provider care sites uncovered bad habits, such as transmitting unencrypted health records and issues with a lack of adoption of many security products.
The survey, conducted by Chicago-based Healthcare Information and Management Systems Society (HIMSS), received responses from 119 acute care providers and 31 non-acute care facilities, including physicians' offices and outpatient offices, over a one-month period. According to the findings, 36% of respondents admitted they did not encrypt health records in transit, and even fewer (58.7%) encrypted data at rest.
"This means that the providers that are not encrypting data are sending protected health information and other data in the clear, leaving such data susceptible to being breached by eavesdropping, packet sniffing or other means," HIMSS wrote in the report. "Similarly, only 61.3% of acute providers are encrypting data at rest, and 48.4% of non-acute providers are encrypting data at rest. This, as well, leaves the door wide open to potential tampering and corruption of the data, in addition to a large potential for a breach."
Of the cybersecurity products surveyed, only antivirus or antimalware, firewalls and audit logs were found to be more prevalent in non-acute provider locations. HIMSS suggested this may be due to acute providers having relatively more financial resources to invest in a wider array of technologies.
"The information security tool profile of providers in the 2016 study suggests providers generally rely on a limited portfolio of security tools," HIMSS wrote. "This may be due to providers lacking appropriate personnel and/or budget ... [but] while a wide variety of information security tools are available for providers to leverage, acute care providers appear to have a greater array of security technologies in their portfolio than non-acute providers."
Even so, antivirus or antimalware and firewalls were the only security products found in more than 80% of all respondent locations, and only those two technologies and audit logs were used by more than 50% of non-acute providers. Some tools had very high differences in usage, such as patch and vulnerability management, which was implemented by 61.3% of acute providers, but only 41.9% of non-acute providers.
"Essentially, where technology exists, there are vulnerabilities. Such vulnerabilities can sometimes have a high likelihood of exploitation," HIMSS wrote. "A lack of such a program can lead to a large attack surface. Safeguards, such as patches, correct configurations and other measures, are meant to address these exploitable weaknesses. Without a program in place, there can be a large time window for hackers to exploit an unpatched system -- especially if systems are patched or upgraded on a reactive, ad hoc basis. Time is money, including for hackers, and they are likely to go after low-hanging fruit."
However, HIMSS noted in the report there is evidence providers' and hospital cybersecurity has been improving. More than 70% of all respondents reported improvements in network security over the past year, while 61.3% improved endpoint security and 52% improved disaster recovery.
"Beyond the actual experience of the significant security incident, respondents tended to cite three specific motivators driving their organization's information security efforts this past year; reactions to phishing attacks and virus/malware incidents, and proactively addressing the results of a risk assessment," HIMSS wrote. "With phishing and denial-of-service attacks, viruses and malware on the rise, it is no surprise that providers are motivated to improve their information security posture."
HIMSS said the respondents appeared to have a solid grasp on the current and future threats facing them, as well as where hospital cybersecurity could falter. Email was rated as the greatest area of vulnerability across the board, and phishing was rated as a concern, as was exploitation of known software vulnerabilities. And ransomware was rated as the most significant future threat to hospital cybersecurity.
But respondents could not find consensus on what was the biggest barrier to mitigating these threats. The top response was a lack of cybersecurity personnel (58.7%), followed by a lack of financial resources (54.7%) and there being too many new or emerging threats (49.3%).
"Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole. It is imperative healthcare providers acknowledge the need to address cybersecurity concerns and act accordingly," HIMSS wrote. "Fortunately, the evidence from this study suggests providers are taking steps to address cybersecurity concerns. However, more progress needs to be made so that providers can truly stay ahead of the threats."
Learn more about an outbreak of ransomware attacks hitting hospitals and enterprises.
Find out about a hospital claiming to have fought off a ransomware attack.
Get info on how criminal attacks are the new top cause of health sector breaches.