8 Common Data Security Gaps in Health Care

Healthcare facilities house some of the most valuable kinds of datasets. Since data security gaps pose a serious legal, financial, and reputational risk, professionals should work to bridge them as soon as possible.

1. Adequately Securing Disparate Data Storage Systems

The average healthcare facility has an abundance of operational, billing, regulatory, patient, and medical data it keeps in various digital silos and filing cabinets throughout the building. It likely also uses the cloud or a third-party vendor’s remote storage solution. Many administrators believe their security is adequate because each endpoint is somewhat secure.

However, the value of comprehensive oversight cannot be overstated. Having disparate storage systems means bad actors can easily slip in unnoticed, enabling them to tamper with or exfiltrate sensitive information. Considering approximately 133 million patient records were exposed or mishandled in 2023 alone, this is a serious issue.

Hospitals should eliminate as many data silos as possible and establish a prioritization-based cybersecurity framework that centers the information technology (IT) team’s focus on critical information assets. This way, they won’t have to needlessly spread out their resources or be overwhelmed with the sheer volume of security logs.

2. Enabling Lateral Movement With Interconnected Systems

Interconnected digital systems are just as convenient for hackers as they are for staff. In-house registration and billing systems store sensitive patient and financial data for later use, making it easier for internal and external threats to act. While they’re helpful when departments must share records or communicate, their heightened visibility creates data security gaps.

Every system that allows users to view, alter, share, or delete records should have access controls. Staff should be prompted to reenter their login details whenever they switch platforms or spend a certain amount of time logged in. Also, they should only be able to access records directly pertaining to their job. This way, institutions prevent lateral movement and exfiltration.

3. Brushing Aside the Need to Revisit Data Sources

In 2021, 41% of health care decision-makers in the United States reportedly had fully functional artificial intelligence systems. As AI adoption becomes more accepted and accessible, the likelihood of security gaps appearing rises. Without consistent evaluations and updates, bad actors can trick models into revealing database details.

Prompt injection feeds AI malicious orders disguised as regular input. A basic example is the phrase “ignore all previous instructions” because it tricks the model into disregarding its guardrails. Hospitals with patient-facing chatbots should prioritize bolstering their algorithm against these attacks by training them to anticipate and ignore such prompts.

4. Ignoring Third-Party Vendors’ Roles in Data Security

For over a decade, the health care sector has reportedly had the most expensive data breaches out of all industries. According to IBM, its breach costs increased by 53.3% from 2020 to 2023, with each incident costing $10.93 million on average. These findings are unsurprising because hospitals are overflowing with valuable medical and financial datasets.

Unfortunately, no one is in a better position to leak, steal, and sell those records than those with legitimate access to them. Since the average health care facility has approximately 15.5 third-party vendors, dozens — possibly hundreds — of individuals access, read and share sensitive information with little to no oversight.

Hospitals can’t immediately terminate relationships to bridge this data security gap, so they must settle for the next best solution. Fully homomorphic encryption lets third parties perform complex mathematical operations on ciphertext without decrypting it, enabling institutions to share records safely.

5. Minimizing Medical Wearable and Implantable Threats

Medical wearables and implantables are constantly connected to the internet and exchanging data with remote servers, making them especially vulnerable to hackers. Moreover, patients have more control over those records, meaning the likelihood of human error creating unforeseen security gaps is much higher.

There’s also the issue of the Internet of Things. Even with recent legislation mandating these devices must be properly updated and protected, they’re still rarely secured well enough. At-rest and in-transit encryption are the best solutions to all these problems because they prevent bad actors from doing anything, even if their attacks are successful.

6. Improperly Disposing of Outdated Data

While most hospitals properly erase and destroy storage media for compliance purposes, some aren’t as thorough as they should be. IT professionals should be overly cautious since bad actors can use residuals to easily recover information. Purging and physically destroying drives is the correct approach.

According to the U.S. National Institute of Standards and Technology’s guidelines for media sanitization — NIST SP 800-88 — hard disk drives must overwrite the media and purge the drive. They must then physically destroy the storage medium by shredding, disintegrating, pulverizing, or incinerating it. The process for solid-state drives is more particular since they use flash memory.

7. Viewing Cybersecurity and Data Security as Separate

An imaginary disconnect exists between cybersecurity and data security in many administrators’ minds. They view the two concepts as separate, even though they aren’t — reinforcing networks, computer systems, accounts, and infrastructure protect datasets. Facilities that disregard the former will experience issues with the latter.

According to one study, 96% of health informaticians believe cybersecurity is critical for data protection, but only 50% of hospitals can adequately manage cyber threats. IT teams should compensate by leveraging authentication measures, network monitoring tools, and automated incident response systems.

8. Merging Legacy and Modern Storage Systems

Many hospitals — especially those in rural and underfunded urban areas — rely heavily on legacy tech stacks. However, most have upgraded some systems through grants, strategic budgeting, or luck. Although partial modernization may seem better than none, bridging the gap between outdated and contemporary technology is often challenging.

In IT, the difference of a few years is equivalent to a lifetime. Legacy and modern systems have different operating systems, capabilities, middleware integrations, and backend infrastructure compatibilities. Attempting to use them simultaneously often results in misconfigurations, missed updates, and incompatibilities.

Merging these storage systems creates one of healthcare's most significant data security gaps. Bad actors can easily exploit weak spots, giving them access to sensitive patient data. Hospital IT teams that can’t postpone partial upgrades must prioritize updates and evaluations. Minimizing integrations and optimizing interconnectivity is vital.

Prioritize Data Security to Minimize Legal Consequences

Hospitals that bridge data security gaps will find it easier to comply with regulations like the Health Insurance Portability and Accountability Act. If they act swiftly and strategically, they can minimize their risk of facing legal and regulatory consequences.