Healthcare Organizations Lack Focus on Cybersecurity as Risks Continue

Healthcare provider organizations are lacking in planning and leadership for cybersecurity programs, according to results from a fourth quarter 2017 survey conducted by Black Book Research.

More than eight in 10 provider organizations surveyed do not have a “reliable enterprise leader” for their cybersecurity programs, according to a news release from Black Book™.

Results from payers, however, show more interest in cybersecurity planning. “When it comes to payers, 31 percent have an established manager for cybersecurity programs currently, with 44 percent planning to recruit a candidate in the new year,” according to the news release.

However, Black Book™ also reports the healthcare industry is underestimating security threats and organizations are hesitant to adopt best practices for cybersecurity.

Fifty-four percent of respondents revealed they do not conduct regular risk assessments and 39 percent said they don’t test their security firewalls on a regular basis. “The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful,” Doug Brown, managing partner of Black Book™ said in the news release.

This lack of planning is concerning given that the healthcare industry is one of the top targets for data breaches recently. Among the larger-scale healthcare security incidents in 2017 (, a Verizon data breach in 2017 resulted in the release of a private database affecting 14 million customers; and patient data, including their name, Medicaid ID number and more, for 1.1 million people was inadvertently made public through a live hyperlink in an Indiana Health Coverage Program Report.

Findings from the November 2017 Protenus Data Breach Report ( show there was at least one healthcare data breach per day since the beginning of 2017.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights continues to monitor the issue of cybersecurity in healthcare and stresses data breaches caused by insider threats are a recurring issue. (

Cybersecurity tips from HHS include:

  • Consider using logs to document whenever access is granted (both physical and electronic), privileges increased, and equipment given to individuals.
  • Consider having alerts in place to notify the proper department when an account has not been used for a specified number of days.
  • De-activate or delete user accounts, including disabling or changing user IDs and passwords.

“When an employee or other workforce member leaves, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI) by ensuring that the former workforce member’s access to PHI is effectively terminated,” HHS reports.

Source: Pulse February 2018 – Vol. 34 No. 2