In view of recent highly publicized cyber attacks and the resulting financial, regulatory and reputational risks, healthcare organizations should be highly focused on cyber security. Yet in a recent survey of 223 executives at healthcare providers and health plans with more than $500 million in revenue, KPMG found that 81% of the respondents said their organizations have been compromised by at least one cyber attack during the past two years, and only 53% of the providers and 66% of the health plans felt that their organizations are adequately prepared to prevent or defend against attacks. (See "Health Care and Cyber Security: Increasing Threats Require Increased Capabilities.")

The survey respondents identified their greatest data security vulnerabilities as: external hackers (65%), sharing data with third parties (48%), employee breaches or theft (35%), wireless computing (35%), and inadequate firewalls (27%). Their most important security concerns were: malware infecting systems (67%), HIPAA violations/compromise of patient privacy (57%), employee theft or negligence (40%), medical device security (32%), and adding technology hardware (31%). One of the most alarming findings was that only 35% of the respondents felt they had adequate security resources for managing vendor security risks. 

According to KPMG, “In terms of technical capabilities, the healthcare industry is behind other industries in protecting its infrastructure and electronic protected health information (ePHI) – as commonly seen in the use of outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes.”