A lack of spending on healthcare data security and an increased emphasis on digital activity are primary reasons why the U.S. healthcare industry is at risk as a cyberterrorism target, according to an article published in the December issue of the journal Telemedicine and e-Health. The article's authors say that the industry, as a whole, is difficult to protect because it is made up of "decentralized and loosely coupled organizations," rather than a homogenous entity.
A cyber attack likely would take place over a period of weeks via a "series of small incursions that are much more difficult to detect," according to the article. For instance, hackers might use phishing emails to introduce malware into hospital networks, which then would gradually erode system quality by infecting patient record databases, mobile devices and, eventually, medical monitors and drug infusion pumps.
"After a few weeks of these rapidly changing and different attacks, the staff in the hospital would have no trust in any electronic data, and the IT support staff would be totally demoralized," according to the authors.
One weak spot in the report is that the authors cite the results of HIMSS' 2009 security survey to drive home some of their points about the lack of hospital preparedness for such attacks. The survey determined that healthcare organizations, in general, had not increased their security budgets or made plans on how to respond to security threats or breaches.
HIMSS' most recent security survey, unveiled last week, though, found that privacy and security budgets at most healthcare organizations have increased, although a good portion of respondents (47 percent) said that their organizations spend, at most, 3 percent of the overall IT budget on such measures.
Still, the Ponemon Institute's third-annual study on patient privacy and data security determined that 94 percent of 80 participating healthcare organizations had experienced at least one known data breach in the past two years. Institute Chairman Larry Ponemon told FierceHealthIT that he didn't think there was a "C-level appreciation or support" for dealing with data security.
To learn more:
- here's the article