Hackers continue to target healthcare organizations, malware is a constant threat, and ransomware continues to pose many problems, but when it comes to the biggest healthcare data security threats, employee security awareness has topped the table.
HIMSS Analytics recently asked 125 healthcare IT leaders and IT professionals about their biggest concerns, and top spot when it came to data security threats was a lack of employee security awareness. However, it does not appear that employees have not been told about risks and best practices. 85% of respondents said they did provide security awareness training to employees, yet almost 80% of respondents still said employee security awareness was their top concern.
The survey suggests that while employee security awareness training is important, in many cases it is not particularly effective. Employees are prone to carelessness and many take security risks that can leave the door open to hackers. Unfortunately, all it takes is for one employee to make one serious mistake and a hacker can take advantage.
Next on the list of concerns was partners and third-parties, rated as a major concern by 69% of respondents. BYOD devices have long posed problems for IT security professionals and they continue to do so. BYOD and wireless devices were the next biggest concern, rated as a top issue by 54% of respondents. There is certainly no shortage of threat intelligence available, but 39% of respondents said there was a lack of actionable threat intelligence.
Healthcare data breaches may now be occurring at unprecedented levels, but the majority of respondents only expressed moderate concern about suffering a security incident in the next 12 months. Just 12% of respondents said they were very concerned about experiencing a security incident, although only 1.6% said they had no concern at all. Respondents were asked to rate their concern from 1-7, with 1 being no concern at all and 7 being very concerned. The average rating was 4.8.
When it comes to mitigating risk and improving security posture, the majority of respondents did not put all their faith in one or two solutions. Multiple risk mitigation controls were employed, the most common being remote access/secure access controls (87%), employee security awareness training (85%), security consulting services, pen tests, and vulnerability testing (75%), next gen firewalls (62%), DDoS mitigation services (56%) and cyber threat intelligence (55%). Most respondents were planning on adding or augmenting those protections in the next two years.