Security threats, hackers and shadow IT still plague health IT

New analyses of security posture in the fast-growing health-tech market highlight the challenges posed by both external threats and unauthorized cloud applications.

doctor tablet
Credit: Thinkstock

Security has long been a primary challenge in the health IT market, and two new reports help illustrate the vulnerabilities surrounding some of the most sensitive consumer data.

The health IT group HIMSS on Tuesday released its 2015 cybersecurity survey, finding that 87 percent of healthcare officials and information security workers polled identify cybersecurity as an increasing business priority within their organizations, but still report an alarming rate of intrusions.

Two-thirds of the nearly 300 respondents report that their organization had recently experience a "significant" cyber event, and many express little confidence in their ability to defend against zero-day attacks.

In a statement, HIMSS Vice President Lisa Gallagher calls the recent breaches in the healthcare sector a "wake-up call" that should remind the industry that the information held in medical systems is a high-value target, and that many firms need to take security more seriously.

"Healthcare organizations need to rapidly adjust their strategies to defend against cyberattacks," Gallagher says. "This means implementing threat data, incorporating new tools and sophisticated analysis into their security process."

Shadow IT is a big threat in healthcare

In a separate study, the security-software vendor Skyhigh Networks offers a sobering assessment of the extent of unauthorized applications and services running within healthcare organizations. As a result of that so-called shadow IT, the average healthcare firm is running 928 cloud services, more than 10 times the number that IT departments know to be in use, according to Skyhigh's analysis.

In most cases, employees have no malicious intent when they use unauthorized tools to collaborate, develop software or share content, but in doing so they nonetheless introduce new security vulnerabilities -- only 7 percent of the cloud services Skyhigh detected meet its standards for acceptable enterprise security and compliance.

As a starting point, Hopfer suggests that CIOs take an inventory of the cloud services running within their organizations to assess their security posture. The exercise of evaluating what types of applications employees are running can shed light on the tools they need to support the business objectives of the enterprise.

Safe cloud adoption in healthcare is crucial

"You don't know what you don't know, so the first thing CIOs can do to help their employees adopt the cloud safely is to discover all the services in use across the organization," Rick Hopfer, CIO at Molina Healthcare, writes in an email. "Employees rarely have the information to determine whether a particular cloud application complies with organization's security and compliance policies."

The average healthcare employee uses 26 different cloud services, Skyhigh found. And those applications often have very different levels of security protections, highlighting the importance of the IT department working with the business units to ensure that cloud services are deployed safely and managed by the CIO's team.

"We educate employees on which services are high-risk and provide them with cloud services that have best-in-class security capabilities and a great user experience," Hopfer says.

[ Related: CIOs seek cybersecurity solutions, bigger voice in C-suite ]

As hackers grow more sophisticated and attacks mount, security is a primary concern for CIOs in all industries, but it carries a special importance in healthcare owing to the sensitivity of the data involved. Moreover, much of the information contained in health records is unalterable, and, taken in composite, makes for a remarkably full profile that criminals can put to use for all manner of fraudulent ends.

"It's a social engineer's dream," says Mark Sander, a health IT veteran who co-founded the North Jersey CIO Roundtable. "You can change your driver's license information. You can change your banking information. How do you change your biometric data? You can't."

This story, "Security threats, hackers and shadow IT still plague health IT " was originally published by CIO.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.