Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure

January 20, 2016
by Heather Landi
| Reprints
Click To View Gallery

As almost daily news headlines indicate, the healthcare industry is increasingly a target for cyber attacks and data breaches. In fact, according to a report from the Institute for Critical Infrastructure Technology (ICIT), the healthcare industry is the most targeted sector in the U.S. for cyber attacks, yet it’s also the least prepared, and the human element in the healthcare cybersecurity infrastructure continues to be the weakest link.

The report, titled “Hacking Healthcare IT in 2016,” lays out a number of lessons that the healthcare industry can learn from previous large-scale security breaches, specifically the United States Office of Personnel Management (OPM) and Anthem.

According to the report authors, the same organization presumed to have carried out the OPM hack has since continued to target healthcare organizations post Anthem and Premera Bluecross breaches, which put at risk more than 91 million American’s electronic health records.

“The remainder of the healthcare sector needs to learn from these prolific breaches before their organizations are the next to fall and place patients at risk. Cybersecurity reform must encompass the people in the organization, the policies and procedures in place, and the technologies deployed,” the report authors state.

The healthcare industry is in the unfortunate position of managing and storing sensitive data that’s very valuable to cyber criminals while simultaneously having significant vulnerabilities in its “insecure and antiquated networks” that these malicious hackers can exploit to get to patient health records.

The healthcare sector manages very sensitive and diverse data, which ranges from personal identifiable information (PII) to financial information. An electronic health record (EHR) contains a patient’s personal identifiable information, their private health information, and their financial information.

And while healthcare organizations are subject to greater regulatory pressure than government entities, healthcare organizations also have greater fiscal flexibility and greater autonomy, according to the report.

“As a result, healthcare organizations have the opportunity to rapidly decrease the risk to their systems by propagating a multilayer information security program within their organizational culture. An effective program would justify budget allowances by deterring cybersecurity incidents, by better adhering to regulation (such as the HIPAA Security Rule), and by providing a definitive competitive operational advantage over other competitors,” the authors wrote.

And, the report author also stated, “Rather than ignoring the threat hoping that insurance policies are large enough to cover the costs of a breach, the healthcare sector needs to invest in risk management based information security programs. Cybersecurity programs should be a multilayered defense that protects the confidentiality, integrity and availability of information whenever it is stored, in transit, or being processed.”

The 97-page report outlines a multipronged approach to meaningful cybersecurity for healthcare organizations with a focus on people, policies and procedures and technical controls. The report also highlights the cybersecurity challenges of healthcare in the digital age, such as the Internet of Things (IoT), telehealth, embedded devices and mobile apps. To that end, the report authors advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, the authors state, but “rather it will create more opportunities through the perfection of technology.”

And, the report addresses how legislation and collaboration could help address cybersecurity issues for the healthcare industry.

To address the human element in the cybersecurity infrastructure, healthcare organizations should focus on ongoing training as hackers often target staff using spear phishing and watering hole attacks.

“Staff education, pre-market dissection of technology and patching of vulnerabilities that stimulate innovation and protect the public, and legislation that protects patient privacy and enforces device cybersecurity at the manufacturer level are only the first steps in creating better national cybersecurity hygiene,” the report authors wrote. “A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers.”




Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.