Symantec and HIMSS Analytics released their annual IT security and risk management study, which looks at where healthcare organizations stand in terms of security investments and efforts alike. The good news: Healthcare organizations appear to be showing improvements in the area of risk management. Unfortunately, they’re still struggling with the risks associated with medical devices and cloud adoption.
Here are some key findings from the study:
- 60% of healthcare providers identify risk assessment as the number one reason for investments made in security.
- 59% identify “performance against risk frameworks” as their main security key performance indicator.
- 73% identify budget as the barrier keeping them from improving their security programs.
- 36% identify a lack of appropriate tools as the barrier keeping them from improving their security programs.
- 74% devote 6 percent or less of their total technology budget to security-related spending.
As far as concerns go, here’s a few more key findings from the study we found interesting:
- 71% of healthcare providers believe moving information/applications to the cloud is concerning, yet 75% of respondents have already done so.
- A staggering 95% believe the security of their medical devices is very concerning.
As made evident in the study, healthcare providers understand the need for security as a whole, however, there’s a multitude of challenges keeping them from fully ensuring they’re protected. In 2017 alone, 295 healthcare providers suffered a breach that involved more than 500 patient records. In total, over 4.77 million people were impacted.
A HIPAA Security Risk Assessment Goes a Long Way to Making Sure You’re Not Leaving These Top Security Gaps Open…
So are the concerns regarding the cloud and medical devices founded? What are the top security gaps facing healthcare organizations throughout the US? Here are the most pressing security gaps that MUST be addressed. The best way to discover them is having a HIPAA security risk assessment performed:
- Lack of monitoring for networked medical devices: Medical devices on the network must be monitored regularly with periodic assessments to ensure all is functioning properly. If they aren’t monitored, errors in treatments or misdiagnosis can occur.
- Lack of endpoint device encryption: All devices must be encrypted, especially those storing sensitive information. Only 41% of healthcare organizations are currently taking advantage of endpoint device encryption, which puts a lot of sensitive data at risk.
- Lack of strong vendor management: A comprehensive list of business associate agreements should be maintained and kept up-to-date, in order to ensure you’re able to adequately protect any and all PHI against unauthorized users.
- Lack of business continuity and incident response plans: In the event of an incident, healthcare providers must have plans in place to ensure they’re able to recover systems and coordinate internal and external teams for the purpose of minimizing impact.
- Lack of proper configuration of alarm notification systems: All software solutions sending alerts from medical devices to smartphones or other communication devices must be configured properly. This should be validated on a regular basis to ensure the integrity of the software.
- Lack of user awareness training: All staff members must be trained on HIPAA compliance and proper information security protocols. This training should occur upon hiring, changing of roles, and on a frequent basis (such as quarterly). Only 41% of healthcare providers are currently doing this.
- Lack of proper access controls: All systems, databases, and applications that store or receive PHI must be checked to confirm proper access controls – from passwords to two-factor authentication. All passwords should meet complexity requirements and be required to be reset regularly.
Healthcare providers should be reviewing their information technology environment, as well as their general culture regarding information security, on a regular basis. It’s vital to check and double check that PHI is being handled, stored, and accessed in a way that meets the standards set by HIPAA. This is where a HIPAA security risk assessment comes into play.
All aspects of a healthcare provider’s approach to cybersecurity must be handled to close security gaps and minimize the risk of a breach.
Any and all security tools implemented must work together to ensure security gaps are closed and the likelihood of a breach is minimized. In this day and age, security is a business problem first and foremost. If a breach occurs, you’re risking non-compliance fines in addition to a major hit to your bottom line, and most importantly, patient safety.
Reliable IT Healthcare specializes in working with healthcare providers in Nation wide. We take the burden of information security off your shoulders so you can focus on what’s important: taking care of your patients. Call (720) 543-2240 or email firstname.lastname@example.org to book your HIPAA security risk assessment now.