Quality and Safety
The Data Aggregator Validation program is aimed at ensuring the validity of clinical data and saving provider organizations time and money.
A study published this week in the Journal of the American Medical Informatics Association found that hospitals with low cybersecurity ratings were more likely to experience a data breach.
The research, which also compared hospital cybersecurity ratings with Fortune 1000 firms, found that health systems remain statistically more vulnerable to botnets, spam and malware.
"Recent hacking and ransomware attacks may be shifting the security landscape for hospitals, with much larger potential hospital and patient consequences," wrote University of Central Florida's Sung Choi and Vanderbilt University's M. Eric Johnson in the study.
"Ongoing risk assessment is needed to keep up with these threats and will likely require even further security investment," they added.
WHY IT MATTERS
First, Choi and Johnson compared longitudinal cybersecurity risk ratings from BitSight of 594 hospitals with the ratings of 971 Fortune 1000 firms over the course of five years. (A disclosure notes that Johnson served as an early-stage advisor to BitSight and holds unexpired options for his involvement with the firm from 2012 to 2013.)
They found that, overall, hospitals had significantly lower security ratings than the Fortune 1000 firms from 2014 to 2016 – but the gap narrowed over time.
By 2017 through the end of the study period in 2019, that difference was no longer statistically significant.
"The reduction in the gap in security rating suggests that healthcare providers are catching up to the general cybersecurity performance of large, publicly traded firms," read the study.
However, that catch-up has not been consistent across the board: When it comes to measures of vulnerability against botnets, spam and malware, hospitals have improved but are still lagging behind.
Choi and Johnson also compared the cybersecurity ratings of hospitals that had experienced a data breach with those that had not.
Perhaps unsurprisingly, hospitals with low security ratings were associated with significant risk of a data breach.
"Hospital executives should work to reduce risks related to both technical security controls such as updated software and security applications, along with human vulnerabilities that can be addressed through enhanced training and overall security culture," observed Choi and Johnson.
THE LARGER TREND
Although hospitals and health systems certainly aren't alone when it comes to being targeted – recent attacks on pipelines, meat processors and government agencies make that clear – the potential risk to patient care means their incidents often make major news.
Recently, Scripps Healthcare experienced a weeks-long network shutdown following a ransomware attack – only to then face a series of lawsuits from individuals saying the health system should have protected their data better.
ON THE RECORD
"Policy makers should monitor the risk to the healthcare sector and provide incentives for hospitals to invest in risk management and overall information security," said Choi and Johnson in the JAMIA study.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.
The COVID-19 pandemic has presented a wide range of vulnerabilities for bad actors to take advantage of, a new report shows.
HIMSS21
"AI has the potential to be the mechanism by which we achieve rapid and accurate understanding of new problems and challenges in the clinical environment," says Jvion's CMIO ahead of his HIMSS21 presentation.
The tech giant follows of Google and Epic, which have also rolled out their own vaccine mandates over the past week.
The security incident may have given hackers access to patient, employee and student information for months.
HIMSS21
The voluntary framework is intended to help organizations build innovative products while still protecting individuals' privacy, an expert will explain at HIMSS21.
A new memo formally establishes the Industrial Control System Cybersecurity Initiative and directs federal agencies to develop cybersecurity performance goals for infrastructure.
HIMSS21
By participating in networks like the one launched to support medical device data surveillance, "health systems can learn from their peers," one clinician explains in advance of his HIMSS21 talk.
One example: In 2014, the New York hospital ranked an abysmal 2nd percentile for employee experience. Last year, it ranked in the 91st percentile.