HIPAA & HITECH security

A recent survey conducted by HIMSS Analytics for the 2017 Level 3 Healthcare Security Study has unveiled that the biggest issue in regards to HIPAA data security is the lack of security awareness among healthcare employees.

The Level 3 Communications, Inc., sponsored survey was conducted on 125 healthcare Information Technology executives and professionals, including directors, managers, CISO’s and other related Information Technology employees. The goal of the recent study was to provide insight into the security concerns within the healthcare industry, specifically in IT.

The majority of respondents – eighty five percent  – said they had education programs in place that taught employees to be aware of security, but that was not enough to ease most concerns. The total lack of employee security awareness was the top issue, with more than seventy eight percent of respondents claiming employee security awareness was one of the top concerns regarding  their exposure to threats.

Employees are considered the weakest link in the security chain in any industry, and with good cause.  Protenus released a Healthcare Breach Barometer report last month which indicated that insiders are the primary cause of breaches with healthcare data.

Forty four percent of reported healthcare data breaches were due to insiders in March of 2017 – based on a mix of deliberate attacks and errors. Insiders caused Fifty eight percent of breaches in February 2017. Many times, due to lack of security awareness and improper training mistakes are made that result in vulnerabilities being open to attackers which allow for data breaches.

Organizations claimed that the main barriers to developing an effective, comprehensive security program were other issues that took priority over security. Th other main problem was budget constraints. These were followed by the impact caused to workflows, employee training and awareness and a lack of in-house experts to help.

The survey also revealed organizations are using multiple risk mitigation practices:

  • Eighty seven percent are using remote access &  secure access controls
  • Eighty five percent relying on security awareness programs  & training for employees
  • Seventy five percent use third party security consulting services, vulnerability assessments and penetration tests to uncover potential weak points in their security posture.
  • Sixty percent of organizations have implemented next-generation firewalls
  • Fifty six percent have implemented DDoS mitigation services
  • Fifty five percent utilize cyber threat intelligence

Thirty six percent of respondents rated their level of concern about a potential security breach in the next twelve months as high while only roughly two percent claimed they had no concern.

Chris Richter, ‎SVP, Global Security Services for Level 3, said “The security threats the healthcare industry is facing are real and they’re only increasing in volume and sophistication as bad actors continue to seek out coveted protected health information.”

Richter said it is important to foster and maintain a culture of security and to ensure employees receive regular security training, but additionally, “healthcare organizations should implement a security governance framework and appropriate technology controls.” Those controls should include “threat intelligence, DDoS mitigation and next generation firewalls and sandboxing.”