Survey: Majority of Health IT Execs See Insider Breaches as Growing Threat | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Majority of Health IT Execs See Insider Breaches as Growing Threat

July 10, 2018
by Heather Landi
| Reprints
Click To View Gallery

While media headlines tend to focus on external breaches and would-be hackers, the overwhelming majority of IT professionals at healthcare provider organizations see insiders as an equal or greater threat to unwanted exposure of sensitive data, according to a recent survey.

A recent study conducted by HIMSS on behalf of SailPoint took a look into how hospitals and healthcare systems perceive and manage insider cybersecurity threats. The survey is based on responses from 100 healthcare IT professionals. SailPoint Technologies is an Austin, Texas-based company that provides identity governance solutions.

While most providers are leveraging various technology to keep outsiders out of their IT infrastructure, the information security gap continues to widen because data exposure is often due to someone from within the organization.

According to the survey responses, when asked to rate the level of concern around insider threats to data security (1 to 10 scale), the mean score of respondents was 8.2. Digging deeper, the study indicates a noticeable difference between business and clinical respondents versus those who work in IT. Fifty-two percent of non-IT respondents rate their concerns around insider threats, at 9 or 10. This is a 10-point difference compared to IT respondents.

“Typically, business and clinical leaders are not as close as IT professionals are to the actual process of governing access. However, should an event occur, the remediation process will likely have a negative impact on operational workflows—a fact that seems to be understood by these end users,” the report states.

Among those implementing or managing cybersecurity solutions, 43 percent states they are more concerned about insider threats to data security than external breaches and 35 percent said they were equally concerned about both internal and external threats. Among all respondents to the survey, 41 percent said they were equally concerned about insider threats to data security and external threats, and 34 percent said they were more concerned about insider threats than external breaches.

The survey also found that training continues to be a staple for addressing threats posed by insiders, with three-fourths of respondents stating that they rely on this tactic. As indicated in the study, roughly half of the respondents are leveraging Identity governance for data stored in files (56 percent) or data loss prevention (DLP) tools (58 percent). “Training without enablement tools and technology is insufficient for closing critical security and even compliance gaps,” the report states. What’s more, 48 percent of organizations use access behavior monitoring and analytics.

The survey results also indicate that a unified governance approach to digital identities and their access continues to mature, but has room to grow. Two-thirds of respondents said their organizations have incorporated less than half of their applications into an identity governance program.

The 48 percent of respondents stated they use manual permissions assignments to govern and manage the ever-growing volume of data stored in files. According to the report authors, this is an extremely inefficient way of managing data and cannot be effectively scaled, creating large security gaps. 

The report notes that provider organizations must look at insiders through the lens of application and data access entitlements, including employed- and non-employed staff, volunteers, vendor partners, contractors and even patients who access their personal health records via online portals. Each of these individuals may expose sensitive data for any one of three reasons—accidental, negligence and malicious activity. Accidental exposure refers to unauthorized exposure of sensitive information often the result of users lacking awareness of processes or best practices, while those who knowingly disregard established policies due to negligence have various reasons, but their intent is not malicious. There are also users who intentionally expose sensitive data for various reasons, whether for financial gain or espionage.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.