Too many healthcare organizations are focused on securing the wrong assets, leaving them vulnerable to cyberattacks and putting patients at risk, a new report from Independent Survey Evaluators claims.

When healthcare leaders focus primarily on protecting patient data, they often fail to address actual cybersecurity threats that directly affect patient health, the report said. So if an active medical device or electronic work order were infiltrated by cybercriminals, the patient could be directly affected. On the other hand, an electronic health record is secondary – it requires a provider to alter the data before it could potentially harm a patient.

ISE studied 12 healthcare organizations, two healthcare data facilities, two active medical devices, two Web applications and other devices found on healthcare networks over the course of two years to determine the possibility of remote attacks and the readiness of these institutions to keep data secure.

"We found hospitals were antiquated in their network designs and unsure about the technologies that could effectively help them," the study's authors said.

[Also: Hollywood Presbyterian gives in to hackers]

"In many cases, vendor products purchased for a security purpose were inappropriate for the organization, and those systems that were appropriate were deployed incorrectly, all resulting in heavy waste while not achieving an improvement in security posture," they added.

Researchers separated threat vectors into primary, secondary and tertiary "attack surfaces" that expose patient health, more than their health data.

Many systems that are the focus of prevention efforts "have little value with regard to personally identifiable information or personal health information – the assets hospitals strive to protect
most – yet they have direct consequences with regard to patient health," according to the report.

"These attack surfaces are largely left unprotected by hospitals and are precisely the attack surfaces to be targeted by an adversary seeking to harm a patient."

Among the primary surfaces: clinicians, medicine, active medical devices and surgery. Secondary (EHRs, passive medical devices, test results, work orders) and tertiary surfaces (climate controls, physical storage, barcode scanners, connected power) often get outsized attention.

Actions taken by health leaders often only handled unsophisticated threats, according to study, which left plenty of openings for attackers to get into information systems. Often, protection strategies assumed the attacks weren't aimed toward garnering targeted information, and therefore ignored the specific strategies and motivations of cyberattackers.

All of the hospitals in the study were failing on a range of levels to address modern security issues, largely in part, due to a lack of funding.

[Like Healthcare IT News on Facebook]

"Security vulnerabilities in healthcare are a result of systemic business failures," said Ted Harrington, executive partner at ISE and one of the study's leaders, in a statement. "We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness and many more."

According to the study, one of the greatest vulnerabilities is that patients and visitors often have physical access to networks and equipment – an issue unique to healthcare. Time, accuracy and the environment also played into sometimes adverse security circumstances.

Along with the study, ISE published a blueprint to aid healthcare organizations in shifting the security focus. It outlines specific threats and the consequences of a breach, in addition to methods for healthcare institutions to better secure its systems.

Twitter: @JessiefDavis