[BreachExchange] Hospital cybersecurity failing to encrypt transmitted health records

Wed Aug 24 17:51:57 EDT 2016

http://searchsecurity.techtarget.com/news/450303023/Hospital-cybersecurity-
failing-to-encrypt-transmitted-health-records

A new cybersecurity study of hospitals and other provider care sites
uncovered bad habits such as transmitting unencrypted health records and
issues with a lack of adoption of many security products.

The survey, conducted by Healthcare Information and Management Systems
Society (HIMSS), based in Chicago, received responses from 119 acute care
providers and 31 non-acute care facilities, including physicians' offices
and outpatient offices, over a one-month period. According to the findings,
36% of respondents admitted they did not encrypt health records in transit
and even fewer (58.7%) encrypted data at rest.

"This means that the providers that are not encrypting data are sending
protected health information and other data in the clear, leaving such data
susceptible to being breached by eavesdropping, packet sniffing, or other
means," HIMSS wrote in the report. "Similarly, only 61.3% of acute
providers are encrypting data at rest and 48.4% of non-acute providers are
encrypting data at rest. This, as well, leaves the door wide open to
potential tampering and corruption of the data, in addition to a large
potential for a breach."

Of the cybersecurity products surveyed only antivirus/antimalware,
firewalls and audit logs were found to be more prevalent in non-acute
provider locations. HIMSS suggested this may be due to acute providers
having relatively more financial resources to invest in a wider array of
technologies.

"The information security tool profile of providers in the 2016 study
suggests providers generally rely on a limited portfolio of security
tools," HIMSS wrote. "This may be due to providers lacking appropriate
personnel and/or budget … [but] while a wide variety of information
security tools are available for providers to leverage, acute care
providers appear to have a greater array of security technologies in their
portfolio than non-acute providers.

Even so, antivirus/antimalware and firewalls were the only security
products found in more than 80% of all respondent locations and only those
two technologies and audit logs were used by than 50% of non-acute
providers. Some tools had very high differences in usage, such as patch and
vulnerability management which was implemented by 61.3% of acute providers
but only 41.9% of non-acute providers.

"Essentially, where technology exists, there are vulnerabilities. Such
vulnerabilities can sometimes have a high likelihood of exploitation,"
HIMSS wrote. "A lack of such a program can lead to a large attack surface.
Safeguards, such as patches, correct configurations, and other measures,
are meant to address these exploitable weaknesses. Without a program in
place, there can be a large time window for hackers to exploit an unpatched
system -- especially if systems are patched or upgraded on a reactive, ad
hoc basis. Time is money, including for hackers, and they are likely to go
after low hanging fruit."

However, HIMSS noted in the report there is evidence that providers' and
hospital cybersecurity has been improving. More than 70% of all respondents
reported improvements in network security over the past year, while 61.3%
improved endpoint security and 52% improved disaster recovery.

"Beyond the actual experience of the significant security incident,
respondents tended to cite three specific motivators driving their
organization's information security efforts this past year; reactions
tophishing attacks and virus/malware incidents and proactively addressing
the results of a risk assessment," HIMSS wrote. "With phishing and denial
of service attacks, viruses, and malware on the rise, it is no surprise
that providers are motivated to improve their information security posture."

HIMSS said the respondents appeared to have a solid grasp on the current
and future threats facing them as well as where hospital cybersecurity
could falter. E-mail was rated as the greatest area of vulnerability across
the board and phishing was rated as a concern, as was exploitation of known
software vulnerabilities. And, ransomware was rated as the most significant
future threat to hospital cybersecurity.

But, respondents could not find consensus on what was the biggest barrier
to mitigating these threats. The top response was a lack of cybersecurity
personnel (58.7%), followed by a lack of financial resources (54.7%) and
there being too many new or emerging threats (49.3%).

"Cybersecurity attacks have the potential to yield disastrous results for
healthcare providers and society as a whole. It is imperative healthcare
providers acknowledge the need to address cybersecurity concerns and act
accordingly," HIMSS wrote. "Fortunately, the evidence from this study
suggests providers are taking steps to address cybersecurity concerns.
However, more progress needs to be made so that providers can truly stay
ahead of the threats."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160824/e3e9122c/attachment.html>