Survey: Application Vulnerabilities are Top Cybersecurity Concern for Senior Health IT Execs | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Application Vulnerabilities are Top Cybersecurity Concern for Senior Health IT Execs

January 22, 2016
by Rajiv Leventhal
| Reprints

The exploitation of vulnerabilities in web, mobile and cloud-based applications is the top concern of healthcare IT executives, according to a recent survey from the Chicago-based Healthcare Information and Management Systems Society (HIMSS) and Burlington, Mass.-based vendor Veracode.

The survey of 200 senior IT security executives in hospitals across the U.S. revealed that the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information, and regulatory enforcement were the top fears of respondents related to such security breaches. Indeed, a single healthcare record brings nearly 10 times the value of a stolen credit card number, combined with the competitive differentiation of intellectual property, according to the research.

 In fact, the number of records stolen has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015, according to the U.S. Department of Health and Human Services (HHS). As such, the rapidly expanding IT footprint, a bottoms-up technology culture where centralized security policies are difficult to enforce, and significant skills gaps around security create formidable challenges for healthcare providers to secure patient data, the survey concluded.

More specifically, liability over a breach is top of mind and providers are taking action to address their exposure. To meet liability requirements, 57 percent of survey respondents said they are increasing spending on third-party security assessments, such as code audits. Another 56 percent are inserting liability clauses into contracts with commercial software vendors to lessen the risk exposure from their software supply chain. And more than half are implementing standard frameworks such as SANS Institute Security Controls as a means to create a baseline security posture from which future improvements can be benchmarked, according to the survey.

What’s more, one of the biggest challenges healthcare organizations face is addressing the fact that much of the decision-making authority is held by the doctors themselves, rather than in a centralized manner. This bottoms-up culture means that it becomes very difficult for a Chief Information Security Officer (CISO) to implement consistent security controls across departments, resulting in serious vulnerability issues for the organization.

Some healthcare organizations have already started to push to address this challenge by making cybersecurity a top institutional priority, with 65 percent reporting investment in security technologies that enable governance policy enforcement; 51 percent investing in training initiatives to educate department heads about cybersecurity; and 44 percent pushing the CEO to be an advocate for centralized IT security policy across all departments.

“There's a perfect storm brewing for 2016 in healthcare and if things continue as is, we're likely to see an increased plundering of medical records leading to increases in insurance fraud, illegally purchased medical equipment and controlled substances, or something even worse," Chris Wysopal, CTO and CISO, Veracode, said in a statement. "Remedying the problem starts with a good look at how healthcare-related software is built and making sure that security is a priority. In fact, our data from actual code-level analysis of billions of lines of code shows that 80 percent of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning."

Topics

News

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.