Hospital management information systems (HMIS) have become the backbone of efficient patient care delivery. However, these systems are also targets for cyberattacks due to the sensitive nature of the data they contain.
An Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds, a research article by the NIH, emphasizes this vulnerability, noting that "as hospitals collect, use, and store personal information and health information related to an individual's privacy directly, the risks of information leakage, forgery, and falsification are more serious than any other institutions. The actions for personal health information protection are very important to both hospitals and patients. To ensure the confidentiality of medical information is a fundamental condition for continuity of medical practice."
A compromised HMIS can lead to patient data breaches and disruption of critical care services. Below are 10 security considerations that hospitals should consider:
One of the fundamental security measures for HMIS is implementing access control. Healthcare staff should only have access to information necessary for their specific roles—known as the principle of least privilege.
Access control mechanisms can include:
The NIH research article highlights a vulnerability in this area, observing that "medical information systems including important personal health information should be separated from the internet, but some hospitals did not separate personal medical records from networks either physically or logically. In matters of mobile computing and teleworking, there were many demands for telemedicine, but it was not allowed because of security even now." This shows the importance of network separation and carefully controlled access points in healthcare environments.
In 2024, UnitedHealth Group experienced a breach when cybercriminals exploited stolen credentials to access Change Healthcare's Citrix portal, which lacked multi-factor authentication (MFA). This oversight allowed attackers to exfiltrate sensitive data of over 100 million individuals. The incident demonstrates how inadequate access controls can lead to data breaches, emphasizing the importance of implementing strong authentication mechanisms across all access points.
Healthcare organizations handle volumes of sensitive patient data. Encryption serves as a defense mechanism, ensuring that data remains protected both at rest and in transit.
An encryption strategy can include:
The 2023 breach at Hospital Sisters Health System (HSHS) exposed sensitive patient data of over 882,000 individuals. The compromised data included medical records, health insurance information, and Social Security numbers. While specific encryption failures weren't publicly detailed, the scale of this breach highlights how proper encryption could have protected this sensitive information even if unauthorized access occurred, potentially rendering the stolen data useless to attackers.
HMIS has numerous information assets that require proper classification and protection. According to the research article, "to control and maintain protection of the information asset, information asset classification which is a basic for identifying information assets and evaluating risks is needed. Asset management was analyzed to be the most vulnerable clause in the ISMS. There were little classification guidelines which were a base for establishment of countermeasures for information security management in hospitals.”
An asset management program can include:
In 2023, HMG Healthcare experienced a data breach affecting 40 facilities across Texas and Kansas. Hackers accessed unencrypted files containing sensitive information, including medical records and Social Security numbers. The breach was discovered months after it occurred, indicating inadequate asset tracking and classification. This incident demonstrates how poor asset management can leave organizations unaware of vulnerable data stores and delay breach detection.
Hospital management systems should undergo regular security assessments to identify and address vulnerabilities before they can be exploited.
An assessment program can include:
In July 2023, HCA Healthcare reported a data breach impacting approximately 11 million patients. The breach involved data stolen from an external storage location used for email communications. The incident shows the need for regular security assessments, including penetration testing, to identify and remediate vulnerabilities in all systems, not just those deemed important. Had regular security assessments been conducted on this external storage system, the vulnerabilities might have been identified and addressed before attackers could exploit them.
Outdated software is one of the most common attack vectors in healthcare environments. Keeping HMIS components updated is important for security.
A patch management program can include:
For systems that cannot be immediately updated (such as legacy medical devices), compensating controls should be implemented to mitigate risks, such as network segmentation or additional monitoring.
In 2014, Community Health Systems suffered a breach affecting 4.5 million patients. Hackers exploited the Heartbleed vulnerability in OpenSSL to steal sensitive data. The breach showed inadequate asset management and patching practices. Without an inventory of all systems using the vulnerable software and clear responsibility for updating them, the organization was unable to patch all vulnerable systems promptly, leaving patient data exposed to attackers.
Audit logging provides visibility into system activities and helps detect suspicious behavior.
Aspects of effective logging include:
In October 2021, Broward Health suffered a data breach where an intruder accessed personal and medical information of patients and staff through a third-party medical provider. The breach went undetected for four days, suggesting deficiencies in audit logging and real-time monitoring systems. This delay in detection allowed the attackers extended access to sensitive systems and data. Had logging and monitoring been in place with automated alerts for suspicious activities, security teams could have identified and responded to the intrusion much sooner, potentially limiting the scope and impact of the breach.
The research article revealed gaps in this area: "There were no entry logs of offices, even in the data processing department with concentrated information assets. Public access, and delivery showed to be the most vulnerable among sub-controls. The level of equipment security was relatively higher than other controls and cabling security was managed well in the 5 hospitals. But equipment that could contain personal health information was disposed of and re-used inappropriately".
A physical security approach can include:
The University of Miami Hospital experienced multiple physical thefts, including medical equipment and patient data. Notably, two former employees accessed patient registration forms containing sensitive information. These incidents reveal deficiencies in physical security measures and the importance of controlling both physical and digital access to sensitive data. This case demonstrates that physical security breaches can be just as damaging as cyber attacks, displaying the need for physical access controls, continuous surveillance of sensitive areas, and proper management of physical documents containing protected health information.
According to Amy Larson DeCarlo, Principal Analyst, Security and Data Center Services at GlobalData, “It is important for healthcare institutions and payer organizations to understand that the weakest security link in an organization is the human element.” The research article emphasizes that "people involved in hospitals such as employees, contractors and third party users should understand the responsibilities of information protection, and hospitals should set up procedures of termination or change of employment, and the education and evaluation schedules to train all staff".
An HR security program can include:
In 2023, Insight Global, a staffing firm managing COVID-19 contact tracing in Pennsylvania, mishandled sensitive data by using unauthorized Google accounts. The breach affected 72,000 residents and showed the need for human resources security policies and training. Employees' improper data handling stemmed from inadequate security awareness training and unclear policies. This incident demonstrates how human error and process failures can lead to data exposure, emphasizing that technological controls must be complemented by staff training and clear security policies.
When security incidents occur, hospitals must be prepared to respond quickly and effectively. The NIH research article found shortcomings in this area, noting that "for the cases of information security incidents, organization systems or procedures, no actions were set up. Reporting security weaknesses was implemented in 4 hospitals, the collection of evidence and recovery and follow-up security events were at a very low level (10 to 12%).”
Regarding business continuity, they observed that "some hospitals had disastrous recovery systems, but developing and implementing continuity plans including information security, business continuity planning framework and testing, maintaining and reassessing business continuity plans were not established properly to face the disasters.”
An incident response program can include:
In 2022, Baton Rouge General Health System suffered a cyber incident that disrupted electronic medical records, forcing a temporary switch to paper records. The breach occurred between June 24 and June 29, but the organization only confirmed it later. This delay showed the need for incident response plans and business continuity strategies to maintain operations during and after security incidents. The case demonstrates how healthcare organizations must be prepared to implement backup procedures to ensure continuous patient care when digital systems are compromised, while also maintaining clear communication protocols to inform stakeholders promptly about security events.
Hospital management integrates with numerous third-party applications and services, each representing a potential security risk.
A vendor management program can include:
Stanford Hospital experienced a data breach in 2009 when a spreadsheet containing 20,000 patient records was exposed online. The breach was traced back to a third-party vendor, emphasizing the need for regular security assessments and third-party risk management. Regular security assessments would have identified the vulnerable data handling practices and potentially prevented the exposure of sensitive patient information. This case underscores the importance of extending security assessments to include vendor relationships and data handling practices.
Hospitals should implement mobile device management (MDM) policies and enforce encryption and remote wipe capabilities.
They should isolate these systems from the main network and increase monitoring to reduce exposure.
Cybersecurity policies should be reviewed and updated at least annually or when new threats emerge.
Hospitals can run simulated cyberattack drills and conduct third-party security audits to evaluate preparedness.