10 security considerations for hospital management information systems

Hospital management information systems (HMIS) have become the backbone of efficient patient care delivery. However, these systems are also targets for cyberattacks due to the sensitive nature of the data they contain. 

An Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds, a research article by the NIH, emphasizes this vulnerability, noting that "as hospitals collect, use, and store personal information and health information related to an individual's privacy directly, the risks of information leakage, forgery, and falsification are more serious than any other institutions. The actions for personal health information protection are very important to both hospitals and patients. To ensure the confidentiality of medical information is a fundamental condition for continuity of medical practice."

A compromised HMIS can lead to patient data breaches and disruption of critical care services. Below are 10 security considerations that hospitals should consider:

1. Access control and identity management

One of the fundamental security measures for HMIS is implementing access control. Healthcare staff should only have access to information necessary for their specific roles—known as the principle of least privilege.

Access control mechanisms can include:

• Role-based access control (RBAC) tailored to job responsibilities
• Multi-factor authentication (MFA) for all system access
• Biometric authentication for access to highly sensitive areas or data
• Regular user access reviews and prompt removal of access when staff leave
• Password policies with regular rotation requirements

The NIH research article highlights a vulnerability in this area, observing that "medical information systems including important personal health information should be separated from the internet, but some hospitals did not separate personal medical records from networks either physically or logically. In matters of mobile computing and teleworking, there were many demands for telemedicine, but it was not allowed because of security even now." This shows the importance of network separation and carefully controlled access points in healthcare environments.

Real-world example: 

In 2024, UnitedHealth Group experienced a breach when cybercriminals exploited stolen credentials to access Change Healthcare's Citrix portal, which lacked multi-factor authentication (MFA). This oversight allowed attackers to exfiltrate sensitive data of over 100 million individuals. The incident demonstrates how inadequate access controls can lead to data breaches, emphasizing the importance of implementing strong authentication mechanisms across all access points.

2. Data encryption

Healthcare organizations handle volumes of sensitive patient data. Encryption serves as a defense mechanism, ensuring that data remains protected both at rest and in transit.

An encryption strategy can include:

• End-to-end encryption for all data transmissions
• Storage encryption for databases and file systems
• Encryption of backup data
• Hardware security modules (HSMs) for encryption key management
• Encrypted communication channels between integrated systems
  
  

Real-world example: 

The 2023 breach at Hospital Sisters Health System (HSHS) exposed sensitive patient data of over 882,000 individuals. The compromised data included medical records, health insurance information, and Social Security numbers. While specific encryption failures weren't publicly detailed, the scale of this breach highlights how proper encryption could have protected this sensitive information even if unauthorized access occurred, potentially rendering the stolen data useless to attackers.

3. Asset management

HMIS has numerous information assets that require proper classification and protection. According to the research article, "to control and maintain protection of the information asset, information asset classification which is a basic for identifying information assets and evaluating risks is needed. Asset management was analyzed to be the most vulnerable clause in the ISMS. There were little classification guidelines which were a base for establishment of countermeasures for information security management in hospitals.”

An asset management program can include:

• Inventory of all information assets
• Classification of assets based on sensitivity and criticality
• Clear ownership and responsibility for each asset
• Regular reviews and updates of asset inventory
• Risk assessment processes for new and existing assets
  
  

Real-world example: 

In 2023, HMG Healthcare experienced a data breach affecting 40 facilities across Texas and Kansas. Hackers accessed unencrypted files containing sensitive information, including medical records and Social Security numbers. The breach was discovered months after it occurred, indicating inadequate asset tracking and classification. This incident demonstrates how poor asset management can leave organizations unaware of vulnerable data stores and delay breach detection. 

4. Regular security assessments and penetration testing

Hospital management systems should undergo regular security assessments to identify and address vulnerabilities before they can be exploited.

An assessment program can include:

• Vulnerability scanning on a scheduled basis
• Annual penetration testing by qualified security professionals
• Compliance audits against relevant standards (HIPAA, GDPR, etc.)
• Risk assessments when implementing new technology or workflows
• Configuration reviews of system components
  
  

Real-world example: 

In July 2023, HCA Healthcare reported a data breach impacting approximately 11 million patients. The breach involved data stolen from an external storage location used for email communications. The incident shows the need for regular security assessments, including penetration testing, to identify and remediate vulnerabilities in all systems, not just those deemed important. Had regular security assessments been conducted on this external storage system, the vulnerabilities might have been identified and addressed before attackers could exploit them. 

5. Patch management and system updates

Outdated software is one of the most common attack vectors in healthcare environments. Keeping HMIS components updated is important for security.

A patch management program can include:

• Automated monitoring for available updates
• Testing updates in a non-production environment before deployment
• Defined maintenance windows for system updates
• Emergency procedures for security patches
• Documentation of all system changes

For systems that cannot be immediately updated (such as legacy medical devices), compensating controls should be implemented to mitigate risks, such as network segmentation or additional monitoring.

Real-world example: 

In 2014, Community Health Systems suffered a breach affecting 4.5 million patients. Hackers exploited the Heartbleed vulnerability in OpenSSL to steal sensitive data. The breach showed inadequate asset management and patching practices. Without an inventory of all systems using the vulnerable software and clear responsibility for updating them, the organization was unable to patch all vulnerable systems promptly, leaving patient data exposed to attackers.

6. Audit logging and monitoring

Audit logging provides visibility into system activities and helps detect suspicious behavior.

Aspects of effective logging include:

• Capturing all system access attempts (successful and failed)
• Recording changes to system configurations and patient data
• Implementing tamper-proof log storage
• Real-time monitoring for suspicious activities
• Security Information and Event Management (SIEM) integration
• Automated alerts for potential security incidents
  
  

Real-world example: 

In October 2021, Broward Health suffered a data breach where an intruder accessed personal and medical information of patients and staff through a third-party medical provider. The breach went undetected for four days, suggesting deficiencies in audit logging and real-time monitoring systems. This delay in detection allowed the attackers extended access to sensitive systems and data. Had logging and monitoring been in place with automated alerts for suspicious activities, security teams could have identified and responded to the intrusion much sooner, potentially limiting the scope and impact of the breach.

7. Physical and environmental security

The research article revealed gaps in this area: "There were no entry logs of offices, even in the data processing department with concentrated information assets. Public access, and delivery showed to be the most vulnerable among sub-controls. The level of equipment security was relatively higher than other controls and cabling security was managed well in the 5 hospitals. But equipment that could contain personal health information was disposed of and re-used inappropriately".

A physical security approach can include:

• Restricted access to server rooms and data centers
• Video surveillance of sensitive areas
• Environmental controls (temperature, humidity, fire suppression)
• Proper disposal procedures for equipment containing PHI
• Secure asset tracking for mobile devices and removable media
  
  

Real-world example: 

The University of Miami Hospital experienced multiple physical thefts, including medical equipment and patient data. Notably, two former employees accessed patient registration forms containing sensitive information. These incidents reveal deficiencies in physical security measures and the importance of controlling both physical and digital access to sensitive data. This case demonstrates that physical security breaches can be just as damaging as cyber attacks, displaying the need for physical access controls, continuous surveillance of sensitive areas, and proper management of physical documents containing protected health information.

8. Human resources security

According to Amy Larson DeCarlo, Principal Analyst, Security and Data Center Services at GlobalData, “It is important for healthcare institutions and payer organizations to understand that the weakest security link in an organization is the human element.” The research article emphasizes that "people involved in hospitals such as employees, contractors and third party users should understand the responsibilities of information protection, and hospitals should set up procedures of termination or change of employment, and the education and evaluation schedules to train all staff".

An HR security program can include:

• Security awareness training for all staff
• Background checks for employees with access to sensitive data
• Clear security responsibilities in job descriptions
• Formal offboarding procedures when staff leave
• Regular security refresher training
• Consequences for security policy violations
  
  

Real-world example: 

In 2023, Insight Global, a staffing firm managing COVID-19 contact tracing in Pennsylvania, mishandled sensitive data by using unauthorized Google accounts. The breach affected 72,000 residents and showed the need for human resources security policies and training. Employees' improper data handling stemmed from inadequate security awareness training and unclear policies. This incident demonstrates how human error and process failures can lead to data exposure, emphasizing that technological controls must be complemented by staff training and clear security policies.

9. Incident response and business continuity

When security incidents occur, hospitals must be prepared to respond quickly and effectively. The NIH research article found shortcomings in this area, noting that "for the cases of information security incidents, organization systems or procedures, no actions were set up. Reporting security weaknesses was implemented in 4 hospitals, the collection of evidence and recovery and follow-up security events were at a very low level (10 to 12%).”

Regarding business continuity, they observed that "some hospitals had disastrous recovery systems, but developing and implementing continuity plans including information security, business continuity planning framework and testing, maintaining and reassessing business continuity plans were not established properly to face the disasters.”

An incident response program can include:

• Clearly defined incident response procedures
• Designated incident response team with defined roles
• Regular incident response drills and tabletop exercises
• Forensic investigation capabilities
• Communication protocols for various types of incidents
• Post-incident review and continuous improvement
  
  

Real-world example: 

In 2022, Baton Rouge General Health System suffered a cyber incident that disrupted electronic medical records, forcing a temporary switch to paper records. The breach occurred between June 24 and June 29, but the organization only confirmed it later. This delay showed the need for incident response plans and business continuity strategies to maintain operations during and after security incidents. The case demonstrates how healthcare organizations must be prepared to implement backup procedures to ensure continuous patient care when digital systems are compromised, while also maintaining clear communication protocols to inform stakeholders promptly about security events.

10. Vendor management and third-party risk

Hospital management integrates with numerous third-party applications and services, each representing a potential security risk.

A vendor management program can include:

• Security assessments during procurement processes
• Contractual security requirements for all vendors
• Regular security reviews of existing vendors
• Monitoring of vendor access to hospital systems
• Incident response procedures for vendor-related breaches
• Contingency plans for vendor service disruptions
  
  

Real-world example: 

Stanford Hospital experienced a data breach in 2009 when a spreadsheet containing 20,000 patient records was exposed online. The breach was traced back to a third-party vendor, emphasizing the need for regular security assessments and third-party risk management. Regular security assessments would have identified the vulnerable data handling practices and potentially prevented the exposure of sensitive patient information. This case underscores the importance of extending security assessments to include vendor relationships and data handling practices.

FAQs

How can hospitals secure HMIS on mobile devices used by staff?

Hospitals should implement mobile device management (MDM) policies and enforce encryption and remote wipe capabilities.

How should hospitals handle legacy systems that can’t be updated?

They should isolate these systems from the main network and increase monitoring to reduce exposure.

How often should hospitals update their cybersecurity policies?

Cybersecurity policies should be reviewed and updated at least annually or when new threats emerge.

How can hospitals test the effectiveness of their current cybersecurity strategy?

Hospitals can run simulated cyberattack drills and conduct third-party security audits to evaluate preparedness.