Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity NewsHospitals & Medical Centers

Are Small Hospitals More Vulnerable to Data Breaches?

By Carl Kunkleman
hospital-sign-enews
January 4, 2018

Hospitals face significant challenges in protecting patient data, and these challenges are even more acute for small community hospitals, which sometimes experience issues with staffing and lack of expertise.

The most obvious issue facing many hospitals is simply the age – and in some cases, the near-obsolescence – of their hardware. Outdated software such as Windows XP or old versions of SQL have security holes that cyber thieves can easily exploit. Even if a hospital runs more recent applications, it may not update them often enough. Software patches should be applied every 90 days, not once a year, as some hospitals do.

Many hospitals, especially in rural areas, don’t have sufficient health IT staff. Seven out of 10 providers report that their IT departments are understaffed, according to a survey by the Health Information Management and Systems Society (HIMSS). The IT professionals in these facilities are so focused on day-to-day issues and putting out fires that they don’t have enough time to focus on big-picture issues such as data security strategy. While the national shortage of health IT workers is partly to blame, many smaller hospitals simply can’t afford to hire more staff.

Nevertheless, the security of protected health information (PHI) is not optional. For one thing, it is required for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Security breaches can also harm patients and lead to costly class action suits. Community hospitals must figure out how to up their security game without spending a lot more money on health IT.

 

Greater Security at Lower Cost

Hospitals can solve some data-security problems while reducing their in-house IT expenses by moving from on-site to cloud-based data storage. This approach gives hospitals always-available backup and disaster recovery capabilities. It also removes the need to maintain and update much of the hospital’s IT infrastructure, and it can save hospitals the cost of buying new hardware at regular intervals.

Transitioning PHI to the cloud greatly reduces security risks associated with employees and others having physical access to servers in an on-site center. With cloud storage, a rogue employee or criminal can’t simply open a door and damage or remove hardware.

The cloud also helps hospitals overcome the issue of having too few staff members dedicated to protecting PHI. Cloud providers have highly trained teams responsible for security as well as 24/7 monitoring systems. When using a cloud provider, a hospital “inherits” that company’s security posture and its technical policies and procedures to protect PHI. From reviewing audit logs to active patch management, administrative rights and access controls, cloud providers generally offer greater security than on-site client-server systems, because these tasks are what they specialize in.

Moreover, when a hospital hires a HIPAA-compliant cloud provider, the latter must sign a business associate agreement (BAA). Under a BAA, the cloud provider takes legal responsibility for safeguarding the PHI on its servers.

 

Security Risk Analysis Basics
Community hospitals, like other healthcare providers, must perform security risk analyses (SRAs) to comply with the HIPAA security rule. Some smaller facilities try to perform these analyses on their own, but that is a mistake. In most cases, they lack sufficient staff to do this work on a regular basis. They also lack the expertise required for this complex task.

Within the SRA are three “buckets” of safeguards:

  • Administrative
  • Physical
  • Technical

The most important technical safeguard involves the encryption of data, not only when the data is in use, but also when it’s at rest and in transit. A key point here is that HIPAA regulations do not require PHI to be encrypted when the data is at rest. However, sophisticated hackers try to penetrate databases to steal the maximum amount of data, so failing to encrypt data can have serious consequences.

HIPAA requires healthcare systems to maintain exact duplicates of all records. The big question here is: How often do you back up your data? We recommend that hospitals back up mission-critical data daily and do full backups weekly. These backups need to be encrypted and kept off site. The advantage of daily backups is that, if a hospital is hit with a ransomware attack, it has only lost one day of the data its providers need to deliver care.

 

Compliance Dashboard

One recent innovation that has made HIPAA compliance easier is a dashboard that monitors hospitals’ IT systems and alerts staff to any potential problems. Ideally, the compliance dashboard would track anti-virus, anti-malware and intrusion detection systems, along with audit reporting and raw logs of all operating system activity in one centralized location. A key portion of this dashboard is a HIPAA-compliance scorecard that maps a hospital’s compliance with HIPAA regulations, providing hospital administrators with a daily update on compliance status.

The most important part of an SRA is the remediation plan, which prioritizes issues and describes how to address them. Classifying risks into categories of high, medium and low concern, the remediation plan focuses on the highest risks and lays out the steps needed to improve security in those areas. This process is very educational for a hospital’s IT staff, who appreciate the ability to deepen their professional knowledge.

While it may seem daunting at first, transitioning PHI to the cloud offers numerous advantages to hospitals and health systems, including lower costs, greater security and less liability exposure, when compared with on-site data centers. No hospital is able to mitigate every risk, but administrators can rest easier knowing that their data is secure with an experienced cloud provider. Staying out in front of hackers is always a race, but moving PHI to the cloud can help keep hospitals one step ahead.

 

KEYWORDS: data breach ransomware security budget Small to Medium Business (SMB) security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Carl Kunkleman is senior vice president and co-founder of ClearDATA, the trusted managed cloud provider, designed for today’s healthcare security needs. He is a healthcare industry veteran with 25 years of experience in pharmaceuticals (Abbot Laboratories, TAP Pharmaceuticals), diagnostic, medical software and healthcare professional services.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • small business owner

    How COVID-19 has made small businesses more vulnerable to cyberattacks

    See More
  • small-business-freepik1170.jpg

    Why small businesses are vulnerable to cyberattacks

    See More
  • Data Breaches Force Healthcare to Invest in More Cyber Defenses

    Data Breaches Force Healthcare to Invest in More Cyber Defenses

    See More

Related Products

See More Products
  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!