Survey: Access Is Top IT Security Concern In Healthcare

  • Apr 28, 2008

According to a survey conducted at the HIMSS 2008 Annual Conference and Exhibition, 64 percent of respondents cited “access” as their number one IT security concern, highlighting the importance of controlling user access to clinical systems and applications in healthcare environments.

Additionally, 60 percent of attendees surveyed cite the threat of a HIPAA compliance audit as the strongest driver for security initiatives. These findings are the results of a HIMSS attendee survey conducted by Courion Corp.

Despite heightened access concerns, healthcare providers continue to be vulnerable to security and compliance risks. In fact, according to the HIMSS attendee survey, over the past year:

  • 60 percent of respondents reported issues with users sharing passwords.
  • 52 percent found orphan accounts not properly disabled.
  • 38 percent identified instances of inappropriate access.

While risk management issues are clearly viewed as a priority, a Courion-commissioned focus group conducted by HIMSS Analytics uncovered an increasing concern that the pressure to deploy comprehensive electronic medical record (EMR) systems is taking budget and resources away from other priorities -- specifically security and compliance efforts. EMRs are often viewed as a priority by executive management to support operational goals associated with delivering high quality patient care. This demonstration of dueling operational and IT priorities often pits quality of care against patient privacy.

“The HIMSS research supports an interesting dichotomy we’re seeing in the healthcare market today. With CIOs taking on increasing responsibility for risk management issues along with operations, security is being looked at more strategically by hospitals,” said Todd Chambers, chief marketing officer, Courion. “But with limited budgets, it’s a challenge to prioritize. With more hospitals relying on remote and non-employee workforces, combined with the use of mobile and virtualization technology, the IT environment is increasingly difficult to secure, and without the enforcement of proper policies and checks and balances, audits will become increasingly difficult to pass.”

Following are key themes and results derived from the research efforts conducted at HIMSS 08 by HIMSS Analytics and Courion. The research was conducted with HIMSS attendees, including a cross-section of healthcare providers ranging from community hospitals to multi-hospital systems. The focus group and survey were developed to gain more insight into how healthcare providers view the importance of security and compliance efforts, especially in context of patient care and privacy priorities, and increasing enforcement of HIPAA guidelines.

There is no doubt that HIPAA remains a primary driver of IT and security decision-making, especially as more frequent federal audits have become a reality -- and not just for those that have suffered breaches. In fact, according to the HIMSS attendee survey, 75 percent of respondents were concerned/very concerned about facing a HIPAA audit and the majority of respondents (60 percent) cited the threat of a HIPAA compliance audit as the strongest driver for their security initiatives.

“The threat of a HIPAA audit has certainly become a significant factor in keeping compliance and security issues top of mind. This is something we didn’t see as prominently over the past few years, and is yet another indication of why there is increasing emphasis being put on controlling user access and proactively enforcing business policies,” Chambers said.

Focus group participants voiced that EMR deployments had become such a priority for their hospitals that budget and resources are being shifted away from HIPAA compliance and security efforts. These results show that many hospitals may be leaving themselves potentially exposed, especially as audits become “not if, but when” scenarios. While the fear of a federal audit and cost of litigation often help justify new security investments, security and compliance don’t often rank as budget priorities.

There was an overriding sentiment among focus group participants that compliance and security don’t become top priorities unless there is a security breach or the hospital is facing an external audit. This decidedly “reactive” approach to compliance and security is an increasing concern, particularly as high-profile privacy breaches, most recently impacting the UCLA Medical Center and unauthorized access to medical records for Britney Spears and Farrah Fawcett, will certainly continue to make headlines. In fact, many felt there was a sense of denial at the executive level about their facility actually being vulnerable to a security breach.

Quality of patient care and patient data privacy were cited as the top operational concerns keeping respondents “up at night” in the attendee survey. Sixty-four percent of respondents agreed that user “access” was their number one IT security concern. Healthcare providers remain challenged to better manage system access by non-employees who need certain systems and medical record information to do their jobs. These non-employees could include contractors, non-staff nurses or physicians and third-party vendors. Access issues are a major concern not only in terms of opening up their hospitals’ systems to possible computer viruses and hackers, but also in terms of being able to meet HIPAA audit requirements that require hospitals to attest that they know who is accessing the systems, what is being accessed, and whether or not that access is in compliance with existing policies.

Despite having formal security policies and compliance environments in place, it’s often the number of policies and lack of standard, centralized enforcement that create the greatest security concerns. According to the focus group, this is a particular problem when policies, and the consequences of non-compliance, vary across multi-hospital systems and even interdepartmentally within a single hospital and range from “zero tolerance” to taking a more educational “slap on the wrist” approach.

The survey found that over past year, the most common compliance vulnerabilities experienced by respondents were: Users sharing passwords, orphan accounts left active, and inappropriate access. Enforcement of security policies addressing these vulnerabilities is typically handled through a variety of manual and automated controls for staff onboarding, transfer and termination processes.

While most hospitals conduct regular audits to determine if data has been compromised, it can be a time-consuming process if done manually, and more importantly, audits alone do nothing to prevent a breach from happening in the first place. They only report what has already happened. While some hospitals are addressing this challenge by implementing policies where staff are warned about the consequences of accessing questionable information as they attempt to access it, known as “break the glass” policies, many focus group members said “education” was in fact a deterrent to internal security breaches.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”