Train From Home on Your Schedule with OnDemand - Special Offers Available Now


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Announces Results of its Inaugural Health Care Information Security Survey

Adoption of Mobile/Cloud Technologies Outweigh Security Concerns; Compliance Still the Biggest Driver

  • Bethesda, MD
  • October 17, 2013

SANS announces results of its inaugural health care information security survey, in which 373 health care IT professionals answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro.

The majority of respondents represented IT staff working in some form of clinical setting, including a hospital (32%), physician group practice (12%), rural or critical access hospital (8%) and individual provider (6%). There were also several ancillary services represented, including health plan/payer (17%) and lab and radiology (12%).

"While these respondents primarily represented the IT side of health care, their biggest driver for information security is regulatory compliance," says survey author Barbara Filkins. "There was also a common theme on 'securing the human,' emphasizing a need for technical, clinical and compliance staff to work together for effective risk management and compliance."

In the survey, concerns over negligent insiders were a primary among 65%, followed by lack of investment in user awareness (53% selected this option as among their top three concerns). When asked about the effectiveness of their controls, only 40% rate "workforce training and awareness" as effective, while nearly 30% consider it their least effective control.

Respondents are also concerned about the security of their electronic medical records/electronic health records as well as personal health record or PHR systems. PHRs can be "untethered" from the more regulated electronic health record systems and not subject to the same regulatory protection and control.

"Despite these concerns, organizations are accepting the risks for the convenience of mobile and cloud technologies in delivering care to patients," Filkins adds.

Results will be pre-released during the SANS HealthCare Cyber Security Summit, at the Hyatt Fisherman's Warf in San Francisco, Oct. 23, 2013.

There will also be a webcast for those not attending the summit on Wednesday, October 30, at 1 PM EDT, where SANS releases the full set of results. Register for the webcast at

Those who register for the webcast will be given access to an advanced copy of the associated report developed by Barbara Filkins.

The SANS Analyst Program,, is part of the SANS Institute.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (