Healthcare News & Insights

Report: Hospitals need better IT security protocol

Much has been said about putting appropriate network safeguards into place to prevent breaches of patients’ protected health information (PHI). According to a new report, not enough hospitals are following best IT security practices to manage employees’ access to this data. 

smiling-doctor-on-laptopThe report from IS Decisions, a security software provider, found that many healthcare institutions aren’t following HIPAA requirements as closely as they should be with their network access policies.

Common security flaws

IS Decisions surveyed healthcare professionals across the country on their experiences with HIPAA and data security protocol.

One big area that’s lacking: security training. Almost 30% of US healthcare workers surveyed received no security training when they first started their positions. A little over half (55%) of workers overall received security training on a regular basis after the onboarding process.

The gap in training may explain some of the dangerous security practices that run rampant in healthcare institutions, including using the same login information for multiple systems and devices on the network.

Every employee should have unique network access credentials, but 30% of those surveyed don’t have their own login. And in 6% of healthcare organizations, workers are openly allowed to share the same login credentials – a huge security risk.

Even worse: In some cases, employees aren’t required to log in at all.

In fact, 22% of US healthcare organizations don’t require login credentials for people who access the network. Not only does this make it difficult to track who’s accessing PHI, it also leaves the system wide open to hackers and cybersecurity attacks.

It’s not enough for a hospital to give workers unique logins for the network. There also needs to be security measures in place where logins can’t be used simultaneously on multiple machines, but that’s only the case for 37% of healthcare institutions.

Hospitals can go even further to ensure security and restrict access to the network to certain times of the day or areas of the hospital. However, just 28% of healthcare organizations restrict access by location and 13% restrict access based on time.

The most common security measure hospitals and other healthcare entities take advantage of is disabling access after a certain period of inactivity. Close to half of healthcare workers in the US are logged off their network automatically if they’re inactive for too long.

Data access

Per the report, most healthcare workers have access to patient data (82%), and they believe the access is appropriate for their professional role (84%).

Healthcare institutions are doing a better job at keeping employees from unnecessary access to data than they are with some other security measures. Fifty-seven percent of employees said they can only access the files and folders necessary to do their jobs. Forty-one percent say they have a specific level of user credentials to restrict their access to these folders.

While most organizations are diligent in removing network access for former employees, over one-third (37%) of employees continued to have access to their former employer’s network. And only 34% said they went through an official “de-registration” process with their company upon leaving.

Check for weaknesses

Protecting patient PHI through controlled user access to the network should be a top priority at every facility. Hospitals need to be sure that these important areas are specifically addressed in their HIPAA risk assessment plans, especially since federal HIPAA audits are looming.

To make sure your hospital doesn’t forget about these crucial data points, IS Decisions has created a user access checklist that facilities can follow to address security issues at every stage of employment, from the initial orientation process to when the job ends.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.