Skip to content Skip to navigation

Survey: Healthcare Organizations Lack IT Budget and Expertise for Cybersecurity Measures

October 20, 2015
by Heather Landi
| Reprints

Most healthcare professionals believe criminals are increasingly targeting healthcare organizations, however, many report that their organizations do not have enough staff and security expertise dedicated to information security, according to a Trustwave survey.

For the 2015 Security Health Check Report, Trustwave surveyed 398 healthcare professionals, including 198 technical respondents (predominantly chief information officers, chief information security officers, IT managers, IT directors and IT vice presidents) and 200 non-technical respondents (physicians, nurses, senior executives, board members, finance professionals and office managers). The survey measures the challenges facing healthcare organizations and the security awareness and expectations of their employees.

Medical records are rapidly moving online and being widely shared among patient and health provider sources, web-connected “Internet of Things” devices and cloud services are expanding the attack surface, and the value of stolen health care data – which enables medical identity theft and insurance fraud – has soared in the criminal underground (reportedly fetching 10 to 20 times as much as financial data, such as credit card numbers), according to the Trustwave report.

The survey found that technical respondents were generally more concerned about security breaches, as 74 percent of technical respondents reported they are concerned about their organization getting breached, compared to 51 percent of non-technical respondents.

However, both segments of healthcare professionals reported they are most concerned about losing patient data in the event of a breach, above other types of information.

Among the technical professionals who took the survey, 35 percent reported that their company does not have enough staff and security expertise dedicated to security and half of respondents said 10 percent or less of their overall IT budget goes toward cybersecurity.

And, close to half (47 percent) of technical respondents reported that their business performs vulnerability testing just once a year or even less frequently, with 5 percent reporting they never do vulnerability testing. Eighty percent report that their organizations conduct a risk assessment once a year.

To address some of these issues, 35 percent of respondents reported hiring more staff with security expertise to manage their organization’s security, and 75 percent said their annual security budget has increased.

“To prevent the theft and use of this valuable data, health care organizations are backing two security measures, according to technical respondents. They are data segmentation (a privacy control that enables patients and providers to control who sees and uses certain sensitive data) and encryption (a well-known cloaking technology that renders data unreadable),” the report authors stated.

Of technical respondents, 94 percent said their organization encrypted information sent outside its network and 89 percent said their organization keeps its most sensitive data segmented from its non-sensitive data via a separate database.

As insider threats also pose a security risk for healthcare organizations, 96 percent of technical respondents said their organization limits access to sensitive information to only those who need it.

The report also highlights the need for buy-in from senior level executive leadership and board members with regard to information security issues and initiatives. Fifty-four percent of technical respondents said they meet with CEO/C-level executives/board members once a year about security challenges, while 35 percent report meeting with senior leadership twice a year or even more frequently.

An organization’s security and risk framework is only as good as how it is perceived and implemented throughout the business. The report authors highlight the need to overcome non-technical employee apathy and misinformation around information security through awareness training programs.

Half of non-technical respondents report that their organization’s security awareness education training only occurs once a year and the report authors emphasize that healthcare organizations should have more robust education and training programs.

The report authors also offer a number of recommendations for breach prevention, detection and response, such as understanding the risk through testing and risk assessment, prioritizing and taking action through awareness training and investing in advanced security solutions, using compliance frameworks for guidance and assessing the security of business partners.



ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.