Choose from Eight InfoSec Courses at SANS Las Vegas 2018. Save $200 thru 12/27.

Press


New Threats Drive Improved Practices: The State of Health Care Cybersecurity

Personal Health Records Most at Risk; Small Security Gains in Health Care; Weaknesses Remain

  • Bethesda, MD
  • December 2, 2014

The growing presence of online personal information and new methods of accessing and transferring medical data are increasingly putting sensitive protected data at risk, according to the 2014 SANS Health Care Cybersecurity Survey. Of the 224 qualified health care cybersecurity workers who completed this year's survey, 42% are most concerned about the risks to personal health records, 36% with patient portals and 21% with consumer-facing mobile apps.

These concerns highlight a growing awareness of risk to patient data across platforms, says Barbara Filkins, the SANS analyst and health care security and compliance expert who authored the paper.

"There appear to have actually been small gains fostered by better awareness of the threats out there," she says.

Compared to last year's survey results, twice as many respondents (24%) in this year's survey feel adequate in their ability to counter threats. Most encouragingly, 70% rated application and database security controls as effective or very effective. These are key areas health care organizations must focus on to protect sensitive, regulated data. Budgetary commitments for cybersecurity are starting to move up, with 13% of small businesses indicating they now have security budgets in the 4-6% range, and 3% more respondents in 2014 incorporating security into funded phases of the product development life cycle.

While some gains have been made, risks still abound. In this year's survey, 51% rank negligent insiders as the chief threat, while 37% of respondents rank training and awareness as ineffective countermeasures. Meanwhile, 41% are not satisfied with their current data breach solutions.

"My suspicion is that the same reasons the industry remains vulnerable to fraud, waste and abuse may very well be the reasons why the industry has also become attractive to the cybercriminals," Filkins notes.

Full results of the survey will be shared during a two-part webcast December 9 and 11, sponsored by Cigital, CloudPassage, FireEye, Qualys, RiskIQ, Tenable Network Security and Trend Micro, and hosted by SANS.

Part 1, at 1:00 PM on December 9, focuses on issues surrounding mobile health care delivery. Part 2, held at 1:00 PM on December 11, focuses on cloud computing and the challenges it brings to security digital identities.

"The marriage of mobile endpoints and cloud computing in health care is here," adds Filkins. "Data-centric security is a reality. So we must ask: 'It's 10 PM, do you know where your digital identity is?'"

Both webcasts will offer suggestions for enhancing cybersecurity for health care information. Register and attend both webcasts to be eligible for a $50 American Express gift card. The recipient will be drawn and announced during the December 11th webcast.

Part 1, Mobile Health Controls: www.sans.org/info/172517
Part 2, Cloud Computing Controls: www.sans.org/info/172522

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and health care expert, Barbara Filkins.

Find out what is driving health care #infosec priorities in 2015. 12/9 Webcast PART 1: bit.ly/Health-Care-SurvResults1

Dec 9: #INFOSEC in Health Care PART 1: Survey Results/Mobile Health Concerns & Controls. bit.ly/Health-Care-SurvResults1 #HIT

Dec 11: #INFOSEC in Health Care PART 2: Survey Results/Cloud Computing Concerns & Controls. bit.ly/Health-Care-SurvResults2 #EMR

12/11 Health Care #INFOSEC Priorities Webcast PART 2 bit.ly/Health-Care-SurvResults2 #HealthcareIT #EMR

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)