SANS Rocky Mountain Fall is Live Online! Join us Nov 2-7 MT for 17 interactive courses + NetWars. Save $300 thru 10/7.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

New Threats Drive Improved Practices: The State of Health Care Cybersecurity

Personal Health Records Most at Risk; Small Security Gains in Health Care; Weaknesses Remain

  • Bethesda, MD
  • December 2, 2014

The growing presence of online personal information and new methods of accessing and transferring medical data are increasingly putting sensitive protected data at risk, according to the 2014 SANS Health Care Cybersecurity Survey. Of the 224 qualified health care cybersecurity workers who completed this year's survey, 42% are most concerned about the risks to personal health records, 36% with patient portals and 21% with consumer-facing mobile apps.

These concerns highlight a growing awareness of risk to patient data across platforms, says Barbara Filkins, the SANS analyst and health care security and compliance expert who authored the paper.

"There appear to have actually been small gains fostered by better awareness of the threats out there," she says.

Compared to last year's survey results, twice as many respondents (24%) in this year's survey feel adequate in their ability to counter threats. Most encouragingly, 70% rated application and database security controls as effective or very effective. These are key areas health care organizations must focus on to protect sensitive, regulated data. Budgetary commitments for cybersecurity are starting to move up, with 13% of small businesses indicating they now have security budgets in the 4-6% range, and 3% more respondents in 2014 incorporating security into funded phases of the product development life cycle.

While some gains have been made, risks still abound. In this year's survey, 51% rank negligent insiders as the chief threat, while 37% of respondents rank training and awareness as ineffective countermeasures. Meanwhile, 41% are not satisfied with their current data breach solutions.

"My suspicion is that the same reasons the industry remains vulnerable to fraud, waste and abuse may very well be the reasons why the industry has also become attractive to the cybercriminals," Filkins notes.

Full results of the survey will be shared during a two-part webcast December 9 and 11, sponsored by Cigital, CloudPassage, FireEye, Qualys, RiskIQ, Tenable Network Security and Trend Micro, and hosted by SANS.

Part 1, at 1:00 PM on December 9, focuses on issues surrounding mobile health care delivery. Part 2, held at 1:00 PM on December 11, focuses on cloud computing and the challenges it brings to security digital identities.

"The marriage of mobile endpoints and cloud computing in health care is here," adds Filkins. "Data-centric security is a reality. So we must ask: 'It's 10 PM, do you know where your digital identity is?'"

Both webcasts will offer suggestions for enhancing cybersecurity for health care information. Register and attend both webcasts to be eligible for a $50 American Express gift card. The recipient will be drawn and announced during the December 11th webcast.

Part 1, Mobile Health Controls:
Part 2, Cloud Computing Controls:

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and health care expert, Barbara Filkins.

Find out what is driving health care #infosec priorities in 2015. 12/9 Webcast PART 1:

Dec 9: #INFOSEC in Health Care PART 1: Survey Results/Mobile Health Concerns & Controls. #HIT

Dec 11: #INFOSEC in Health Care PART 2: Survey Results/Cloud Computing Concerns & Controls. #EMR

12/11 Health Care #INFOSEC Priorities Webcast PART 2 #HealthcareIT #EMR

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (