Other security threat exposures that health care organizations fear include exposure from partners and/or third parties. (Photo: iStock)

A new study finds employees who are unaware of threat exposure and who have not been educated about the potential for threats to health care data and critical care infrastructure present the biggest threats.

The 2017 Level 3 Healthcare Security Study, conducted by HIMSS Analytics and sponsored by Level 3 Communications, Inc., finds despite nearly 80 percent of respondents saying employee security awareness is their greatest concern regarding threat exposure, 85 percent indicate they have existing security awareness programs in place for employees.

There are plenty of strategies that can take advantage of an employee’s ignorance or obliviousness to certain types of threats, but there are plenty of other reasons to be concerned about cyber risk — including what insurers may do — or not do — for institutions and companies that fail to adequately protect confidential patient data. And there’s also the little matter of medical devices being hacked — something that has yet to occur, but is definitely within the realm of possibility.

Other security threat exposures that health care organizations fear include exposure from partners and/or third parties; securing wireless and employee devices (the latter also known as BYOD, for “bring your own device”); a lack of appropriate network design and segmentation; and lack of internal expertise and skilled security resources.

In order of their need of network uptime, hospitals rank electronic health records at the top of the list, followed by hospital interface systems, remote monitoring, communications and PACS storage (for “picture archiving and communication system,” a medical imaging technology).

And while health care organizations usually mitigate risk in multiple ways, such as remote access/secure access controls, employee security awareness programs and security consulting services that can include vulnerability assessments and penetration testing, some of the measures that can combat IT threats are only found in larger institutions.

But over the next few years, organizations are planning to augment their defenses with additional strategies, such as cyberthreat intelligence, distributed denial of service mitigation and next-generation firewalls.