Security Experts:

Connect with us

Hi, what are you looking for?



5 Common Security Mistakes Healthcare Organizations Make

When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.

When Community Health Systems revealed it had been breached earlier this year, a spotlight was placed on cybersecurity in the healthcare industry, and the diagnosis was not good.

In that case, patient records for some 4.5 million people were exposed by hackers. The situation added Community Health Systems to the list of organizations impacted by security incidents, and sparked discussions about the importance of information sharing within the industry and between companies and the government.

Based on his experience consulting with healthcare organizations, Michael Wojcik, senior manager with Ernst & Young, noticed patterns among organizations that contribute to security failings, and at the (ISC)2 Security Congress in Atlanta this week outlined the five most common security mistakes healthcare organizations make.

Perhaps not surprisingly, understanding and managing risk is critical, and failing to do both are numbers one and two on Wojcik’s list of missteps. Organizations sometimes mistake control assessments for risk assessments, he explained in an interview with SecurityWeek. A gap in a control is a vulnerability; risk assessments are about events that could occur, and need to be explained in business terms as opposed technical terms.

The failure to communicate actual risk can hinder the ability of IT departments to get the resources they need to secure the business, he said.

“If I have a breach,” he explained, “how much is it going to cost the organization? How much reputational damage am I going to get?”

Once the risks are understood, they must be managed. While that could mean taking steps to address them, it could also mean simply accepting certain risks according to the risk-tolerance of the organization, Wojcik said. The appetite each business has for risk can be highly individual, and may be dependent upon the size of the organization and their financial resources, he said.

It is also important for organizations to properly categorize their assets. Many organizations don’t have a good handle on where all the sensitive information in their organization is, he said. Not all systems on the network are created equal, as some may have more critical information than others.

“You need to protect the bigger, high-value assets differently and more because those are the kind of breaches that will cost you dearly both financially and reputationally, and potentially you can risk patient safety,” he said.

Mistakes four and five are closely related. Organizations often don’t develop objective control standards, and many times don’t use a control framework that is more prescriptive than HIPAA [Health Insurance Portability and Accountability Act], he said.

While HIPAA specifies the need for information system activity reviews, it does not specify how often or what activities should be looked at. Those types of details need to be documented in control standards, he told SecurityWeek.

 “I think HIPAA was a good thing for the industry because it got them thinking about security and actually doing something with security,” he said. “But right now what it has done on the negative side, it’s created a culture of compliance…so it’s more a compliance-based mindset versus a security-based mindset. I think that it’s changing especially over the past six months to a year, where companies are seeing that the compliance aspects are important, but the compliance should be proven by your security and not vice versa.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.