Healthcare cybersecurity gains, but room for improvement remains

Digital healthcare

Efforts to cut cybersecurity breaches appear to be working as healthcare organizations reported 4.5 million healthcare records compromised in 270 breaches in 2017, according to the Office of Civil Rights.

That is down substantially from the 16.5 million records breached in 2016 and the 113 million records reported breached in 2015.

Of those 270 breaches reported in 2017, 123 were attributed to hacking with the largest resulting in 279,865 Medicaid records hacked at the Oklahoma State University Center for Health Sciences.

While the severity of data breaches has reduced year over year, indicating cybersecurity in healthcare is improving, no one is breathing easier. At the HIMSS 2018 conference that just wrapped up in Las Vegas March 9, the organization released its annual cybersecurity survey of its 70,000 health IT professionals. A huge majority (75.7 percent) of the 239 respondents said they had experienced a recent significant security incident.

Overall the survey showed that healthcare organizations with cybersecurity programs are making progress in conducting regular risk assessments and taking proactive measures. Nevertheless the report concluded that most healthcare organizations’ cybersecurity programs have room for improvement, particularly in the areas of mitigating and remediating security incidents. In addition, more organizations need to develop and deploy formal insider threat management programs.

Of the top three threats named, 37.6 percent of respondents named online scam artists such as phishers, 20.8 percent named negligent insiders and 20.1 percent named hackers.

Email remains by far the most significant security problem as 61.9 percent of respondents identified email as the initial point of compromise. That was followed by a compromised website and malware that tied at a distant second point of initial entry at only 3.2 percent each.

The majority of respondents (40.7%) said that they learned about the most significant security incident from their internal security team or internal personnel other than the internal security team (27.5%). However, among those who responded, nearly 20% either didn’t know how the organization learned of a breach or learned about it from other sources.

Going forward, 84.3 percent of respondents say more resources are now going to address cybersecurity with 60 percent of respondents saying their organizations have added a senior information security officer, and 45.5 percent said they were performing security risk assessments annually.

Hexagon IT provides network security and data protection from hackers, email and other threats to healthcare organizations. Contact us to get a free estimate for our cybersecurity services.

Sources: US Department of Health and Human Services Office for Civil Rights Breach Portal, and HIMSS survey report