Loss of life, liability top cybersecurity fears for health IT leaders

Losing patients due to malicious actors gaining access to systems or hacking medical devices is the top fear for healthcare leaders when it comes to cybersecurity, according to the results of a new survey.

For the survey, conducted by HIMSS on behalf of application security company Veracode, executives also cite damage to their brand, enforcement by government agencies and post-breach costs as major concerns in an environment where breaches are growing in frequency and breadth.

Of more than 200 hospital and health system IT leader participants, 28 percent said their top threat concern is the ability of hackers to take advantage of vulnerabilities in Web- and cloud-based tools such as electronic health record systems and clinical applications.

Healthcare is the most targeted yet least prepared sector in the U.S. when it comes to cyberattacks, according to a recent report published by the Institute for Critical Infrastructure Technology.

Tools like clinical applications must be built with security in mind, Lee Kim, JD, director of privacy and security at HIMSS, says in the report. That's been a common refrain in the industry--security tacked on at the end of the creation of an application or system is not the way to go.

Health leaders also are increasingly aware of the liabilities they face if a breach occurs, according to the report. Fifty-seven percent of respondents said they are addressing this by increasing spending on security assessments; 56 percent, meanwhile, are putting clauses on liability into contracts with third-party vendors. About 50 percent said they are adding frameworks like SANS Institute Security Controls.

Among the report's other findings:

  • 26 percent of respondents said that one of their biggest concerns is phishing attacks on employees and malicious actors inside the facility's walls
  • 54 percent are budgeting more funds for cyberinsurance
  • 44 percent are pushing for the CEO to advocate an IT security policy in all departments
  • 65 percent of respondents said they are putting money toward tech that enables governance policy enforcement
  • 51 percent are investing in education of department leaders on cybersecurity

"As healthcare organizations ... face Web- and mobile-application security risks head on, they will need to make the monetary and time investments required to arrive at an understanding of the risks that cyberattackers pose to their organization," the report's authors concluded.

To learn more:
- download the report
- check out the infographic