Save $400 on 4-6 day Courses at SANS Cyber Defense Initiative 2017. Ends Tomorrow!

Press


SANS Announces Results of its Inaugural Health Care Information Security Survey

Adoption of Mobile/Cloud Technologies Outweigh Security Concerns; Compliance Still the Biggest Driver

  • Bethesda, MD
  • October 17, 2013

SANS announces results of its inaugural health care information security survey, in which 373 health care IT professionals answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro.

The majority of respondents represented IT staff working in some form of clinical setting, including a hospital (32%), physician group practice (12%), rural or critical access hospital (8%) and individual provider (6%). There were also several ancillary services represented, including health plan/payer (17%) and lab and radiology (12%).

"While these respondents primarily represented the IT side of health care, their biggest driver for information security is regulatory compliance," says survey author Barbara Filkins. "There was also a common theme on 'securing the human,' emphasizing a need for technical, clinical and compliance staff to work together for effective risk management and compliance."

In the survey, concerns over negligent insiders were a primary among 65%, followed by lack of investment in user awareness (53% selected this option as among their top three concerns). When asked about the effectiveness of their controls, only 40% rate "workforce training and awareness" as effective, while nearly 30% consider it their least effective control.

Respondents are also concerned about the security of their electronic medical records/electronic health records as well as personal health record or PHR systems. PHRs can be "untethered" from the more regulated electronic health record systems and not subject to the same regulatory protection and control.

"Despite these concerns, organizations are accepting the risks for the convenience of mobile and cloud technologies in delivering care to patients," Filkins adds.

Results will be pre-released during the SANS HealthCare Cyber Security Summit, at the Hyatt Fisherman's Warf in San Francisco, Oct. 23, 2013.

There will also be a webcast for those not attending the summit on Wednesday, October 30, at 1 PM EDT, where SANS releases the full set of results. Register for the webcast at http://www.sans.org/info/141255

Those who register for the webcast will be given access to an advanced copy of the associated report developed by Barbara Filkins.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)