Security threats, hackers and shadow IT still plague health IT

02.07.2015
Security has long been a primary challenge in the health IT market, and two new reports help illustrate the vulnerabilities surrounding some of the most sensitive consumer data.

The health IT group HIMSS on Tuesday released its 2015 cybersecurity survey, finding that 87 percent of healthcare officials and information security workers polled identify cybersecurity as an increasing business priority within their organizations, but still report an alarming rate of intrusions.

Two-thirds of the nearly 300 respondents report that their organization had recently experience a "significant" cyber event, and many express little confidence in their ability to defend against zero-day attacks.

In a statement, HIMSS Vice President Lisa Gallagher calls the recent breaches in the healthcare sector a "wake-up call" that should remind the industry that the information held in medical systems is a high-value target, and that many firms need to take security more seriously.

"Healthcare organizations need to rapidly adjust their strategies to defend against cyberattacks," Gallagher says. "This means implementing threat data, incorporating new tools and sophisticated analysis into their security process."

Shadow IT is a big threat in healthcare

In a separate study, the security-software vendor Skyhigh Networks offers a sobering assessment of the extent of unauthorized applications and services running within healthcare organizations. As a result of that so-called shadow IT, the average healthcare firm is running 928 cloud services, more than 10 times the number that IT departments know to be in use, according to Skyhigh's analysis.

In most cases, employees have no malicious intent when they use unauthorized tools to collaborate, develop software or share content, but in doing so they nonetheless introduce new security vulnerabilities -- only 7 percent of the cloud services Skyhigh detected meet its standards for acceptable enterprise security and compliance.

As a starting point, Hopfer suggests that CIOs take an inventory of the cloud services running within their organizations to assess their security posture. The exercise of evaluating what types of applications employees are running can shed light on the tools they need to support the business objectives of the enterprise.

Safe cloud adoption in healthcare is crucial

"You don't know what you don't know, so the first thing CIOs can do to help their employees adopt the cloud safely is to discover all the services in use across the organization," Rick Hopfer, CIO at Molina Healthcare, writes in an email. "Employees rarely have the information to determine whether a particular cloud application complies with organization's security and compliance policies."

The average healthcare employee uses 26 different cloud services, Skyhigh found. And those applications often have very different levels of security protections, highlighting the importance of the IT department working with the business units to ensure that cloud services are deployed safely and managed by the CIO's team.

"We educate employees on which services are high-risk and provide them with cloud services that have best-in-class security capabilities and a great user experience," Hopfer says.

[ Related: CIOs seek cybersecurity solutions, bigger voice in C-suite ]

As hackers grow more sophisticated and attacks mount, security is a primary concern for CIOs in all industries, but it carries a special importance in healthcare owing to the sensitivity of the data involved. Moreover, much of the information contained in health records is unalterable, and, taken in composite, makes for a remarkably full profile that criminals can put to use for all manner of fraudulent ends.

"It's a social engineer's dream," says Mark Sander, a health IT veteran who co-founded the North Jersey CIO Roundtable. "You can change your driver's license information. You can change your banking information. How do you change your biometric data You can't."

(www.cio.com)

Kenneth Corbin