Lack of resources increasing the health care sector’s vulnerabilities

The Healthcare Information and Management Systems Society’s (HIMSS) 2018 Cybersecurity Survey interviewed more than 200 information security professionals in the health care sector.

The majority (75.7%) of respondents claimed that their organization experienced a serious security incident in the past year, with the most significant contributor being insufficient cybersecurity resources. With these findings surfacing after another recent survey had found that 18% of health care employees admitted they would sell confidential data to unauthorized parties, the health care sector needs to invest more in information security.

Key findings:

  • 61.9% said the initial point of compromise was email (phishing)
  • 52.4% said that lack of cybersecurity personnel was the biggest barrier to tackling cybersecurity issues
  • 46.6% said that inadequate information security funding was a crucial contributor to cybersecurity incidents
  • 37.6% said that online scam artists were responsible for recent security problems
  • 26% said that insiders facilitated data breaches, with most arising from employee negligence

The findings show that there are many contributing factors to the sector’s cybersecurity shortcomings and suggest that health care organizations need to urgently bolster their information security measures.

Protect your organization from rising cybersecurity risks

The survey has identified flaws in the health care sector’s current approach to information security, namely a lack of appropriate cybersecurity resources and inadequate staff awareness. These weaknesses put health care services at risk of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s security rule identifies certain administrative, physical, and technical security safeguards that need to be implemented by covered entities to keep protected health information secure and establishes the standards that should be used to address these safeguards. Penalties for violating the HIPAA include fines of up to $250,000 and ten years of imprisonment.

Although the survey highlighted a number of concerns, it also revealed that the majority of organizations already have a security framework in place. There is no universally adopted framework among health care organizations, but the most widely adopted is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, used by 57.9% of respondents. The framework is designed to address the cybersecurity needs of critical infrastructure organizations, such as health care services, providing guidance to help them manage their cybersecurity risks. This guidance is based on existing best-practice standards and guidelines, and provides a way of aligning other frameworks and control sets with each organization’s unique cybersecurity needs.

The framework’s core security controls link to ISO 27001’s complementary standards on security and privacy controls. ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive or confidential data to ensure it remains secure. An organization that achieves ISO 27001 certification sends a message to clients, peers, and industries that it is taking effective measures to protect its data.

Learn how to implement an ISMS and achieve ISO 27001 Certification

IT Governance’s ISO 27001 Foundation and Lead Implementer courses will guide you through ISO 27001 ISMS implementation. You will gain an understanding of the activities needed to plan, implement, and maintain an ISO 27001-compliant ISMS. Learn more about the ISO27001 Certified ISMS Foundation Online course and the ISO27001 Certified ISMS Lead Implementer Online course. Book your place now!

Educate your staff

Organizations should also look to provide employees with comprehensive staff awareness training to remind them of their information security responsibilities and the organization’s regulatory and compliance requirements. It is important that employees understand the consequences of their actions should they act inappropriately.

This can be a time-consuming and costly process. To help, we have created the Information Security Staff Awareness E-learning Course, designed to help employees better understand information security risks, and to build awareness of policies and procedures.

Learn more about our Information Security Staff Awareness E-learning Course