Staff negligence is a leading IT concern


Concerns about negligent insiders top healthcare IT professionals’ worries surrounding healthcare IT security, according to a new healthcare information security survey carried out by SANS institute, a cooperative research and education organization.

SANS’ inaugural  healthcare information security survey, brings together the opinions and insights of 373 healthcare IT professionals, who answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro.

The majority of respondents represented IT staff working in some form of clinical setting, including a hospital (32%), physician group practice (12%), rural or critical access hospital (8%) and individual provider (6%). There were also several ancillary services represented, including health plan/payer (17%) and lab and radiology (12%).

"While these respondents primarily represented the IT side of healthcare, their biggest driver for information security is regulatory compliance," said survey author Barbara Filkins. "There was also a common theme on 'securing the human,' emphasizing a need for technical, clinical and compliance staff to work together for effective risk management and compliance."

In the survey, concerns over negligent insiders were a primary among 65%, followed by lack of investment in user awareness (53% selected this option as among their top three concerns). When asked about the effectiveness of their controls, only 40% rate "workforce training and awareness" as effective, while nearly 30% consider it their least effective control.

Respondents are also concerned about the security of their electronic medical records/electronic health records as well as personal health record or PHR systems. PHRs can be "untethered" from the more regulated electronic health record systems and not subject to the same regulatory protection and control.

"Despite these concerns, organizations are accepting the risks for the convenience of mobile and cloud technologies in delivering care to patients," Filkins added.

Results will be pre-released during the SANS HealthCare Cyber Security Summit, at the Hyatt Fisherman's Warf in San Francisco, Oct. 23, 2013.


Negligence, healthcare information security, SANS, healthcare IT