Hackers have captured the attention of members of the healthcare security community, but the industry's top data guardians are feeling hampered in their efforts to protect their organizations by a lack of manpower and money, a new survey report shows.
A significant minority of security pros still report their systems are not encrypting patient data, a basic defense, according to the survey by the Healthcare Information and Management Systems Society, a Chicago-based trade group for the health information technology industry.
Ransomware attacks in which cyber criminals hack into a healthcare database and hold it hostage until a ransom is paid is public enemy No. 1, according to the survey. Ransomware attacks were cited most often (by 69% of respondents) as a significant threat to HIT system security.
Most HIMSS survey respondents (77% acute, 74% non-acute) believe their adversaries' primary motivation is to grab their data for medical identity theft.
A subspecies of identity theft, medical identity theft is when a patient's identity is stolen and used by others to obtain healthcare in that patient's name. Medical identity theft is particularly pernicious in the current era of increased health information exchange because it has the potential to dangerously pollute a patient's electronic clinical records without their knowledge and come back to haunt them later when they seek care.
This year's report is based on a survey of 150 information security leaders at U.S. hospitals and hospital systems and various “non-acute” care environments such as physician offices, behavioral health and long-term care facilities and home health service providers. The survey was conducted between February and May this year.
The good news is, surveyors found that 85% of respondents from acute care providers and 81% from non-acute-care organizations made healthcare security a higher priority in 2016 than in the past.
Now the bad news: Chronic underfunding of health IT defenses has been a recurring theme in security surveys for years and this year's HIMSS survey is no exception.
About half of survey respondents (55%) cited lack of financial resources as a barrier to mitigating their cybersecurity risks. More than half (59%) were having trouble finding good security people – described as “appropriate cybersecurity personnel.”
More than half (59%) reported using encryption of their data at rest, while 64% were encrypting data in transit. Flipped over, those numbers imply that 41% were still not encrypting their data in storage and 36% were not even encrypting patient information when moving it from one place to another.
“People view encryption and security in general as a hindrance to their work,” said Lee Kim, director of privacy and security at HIMSS North America. “They have to swallow that vitamin. It's yucky, but it's good for you.”