[BreachExchange] Health IT Leaders Cite Data Theft As Key Cybersecurity Concern

Thu Oct 27 20:14:09 EDT 2016

http://healthitsecurity.com/news/health-it-leaders-cite-data-theft-as-key-
cybersecurity-concern

Social engineering attacks and data theft are the main cybersecurity
concerns when it comes to health IT, according to a recent survey of
healthcare chief information and chief information security officers.

The College of Healthcare Information Management (CHIME) and the
Association for Executives in Healthcare Information Security (AEHIS)
recently interviewed approximately 200 of their members on the current
healthcare cybersecurity issues.

Along with the potential of losing sensitive data, respondents said that
social engineering attacks, which includes spear phishing, were a key
concern.

“The survey data is representative of what we are hearing from our
colleagues across the industry. Cyber criminals are attacking us from
nearly every angle,” Marc Probst, chair of the CHIME board of trustees and
CIO at Intermountain Healthcare, said in a statement. “We have to be
extremely vigilant in educating our staff and our business partners on how
to minimize the risk of an attack. We are only as safe as the weakest link
along our networks.”

When asked to rank their data security concerns on a scale of 1 to 5, with
1 being their top concern, data theft averaged a 1.75 rating. Social
engineering attacks were given a 1.88 average rating, while insider threats
came in third with an average rating of 2.36.

Respondents did state though that their organization’s approach to
healthcare cybersecurity was improving. Those surveyed were asked to rank
recovery and preparation methods on a scale of 1 to 3, with 1 being
“Better” and 3 being “Worse.” Having systems in place to prepare for
security was given an average rating of 1.16, while recovering from a data
security incident received an average rating of 1.28.

When asked to indicate common security vulnerabilities, respondents as a
whole said that data exposure, poor authentication, and other application
vulnerabilities were the most likely to occur. However, smaller healthcare
organizations - those with less than 100 beds - said that security
misconfiguration was the most common security vulnerability. Respondents in
a facility with 400 or more beds listed other application vulnerabilities
as the most common.

The survey also revealed that health IT leaders want federal agencies to
provide more assistance on improving information sharing and threat
assessments. Nearly 40 percent of respondents said they were not confident
at all in Federal legislators understanding the importance of security
initiatives. Approximately one-quarter of those surveyed stated they were
somewhat confident in the same area.

Overall, respondents listed the following as the top three things the
government should do to help healthcare organizations share cybersecurity
information more easily and faster:

Incentivize participation in Information Sharing Organizations (ISO) and
Information Sharing Analysis Organizations (ISAO). (i.e. shielding against
audits for providers who mentor / help less resourced providers)
Create and distribute tools aimed at providers of different sizes and
levels of resources (i.e. resources for small providers could vary from
those needed by resourced, larger providers)
Require manufacturers to have to report cyber risks directly to providers,
not just US-CERT

“We are all in this together,” Probst added. “New payment and delivery
models are creating a more connected healthcare system than ever before,
but we need our partners in the federal government to understand the risks
that are out there and to work with us on finding common sense solutions.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161027/9c505c97/attachment.html>