Despite provider prioritization of cybersecurity, incidents remain prevalent

While professionals in the healthcare industry say cybersecurity has grown as a business priority at their organizations, a large amount also admit that their facilities have seen a significant security incident recently.

Sixty-eight percent of the 297 individuals responding to a new survey by HIMSS said there had been an attack on their facility recently, with 46 percent saying the attack was due to negligence on the part of someone working within the organization, according to a report. In addition, 64 percent said the incident occurred because of the actions of someone outside the facility, like an online scam artist or hacker.

Fifty-seven percent of respondents said their facility has a full-time professional who deals with cybersecurity, with 20 percent saying that person is a chief information security officer; 6 percent of respondents have a chief security officer. Thirty-two percent have information security staff that are neither a CIO nor a CISO.

Respondents said their organizations improved security in several ways this year, including:

  • 87 percent said information security increased as a business priority
  • 72 percent said their organizations improved network security
  • 63 percent indicated their organizations improved endpoint protection
  • A little more than 50 percent said their facility improved data loss prevention, disaster recovery and IT continuity

Healthcare companies and organizations must not focus solely on technology when it comes to protecting sensitive information, according to privacy and security expert Kate Borten. "There is nowhere near a single silver bullet," Borten, founder of privacy and security consultancy The Marblehead Group, said in a recent interview. "Anyone involved with an information security program understands that there are a gazillion strategies, controls and safeguards to protect data."

Recent security incidents, however, did little to disrupt the organizations' IT environments, including clinical care or IT operations, according to 62 percent of respondents.

Despite that, chief executive officers at health systems should see the threat of a cyberattack as a business risk; those who don't should be fired, Mansur Hasib writes in an opinion piece for Enterprise Tech. Many CEOs seem far more focused on ensuring they have cybersecurity insurance instead of turning their attention to the protection of patient information, the former chief information officer says. 

To learn more:
- read the executive summary (.pdf)

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine project has enrolled 230,000 participants with another 40,000 people registered.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.