Hospitals continue to funnel significant resources into securing the electronic health record (EHR) information that is increasingly the target of cyberattacks. But staying one step ahead of increasingly sophisticated hackers continues to be an ongoing challenge.

“Hackers seem to be more knowledgeable in defeating firewalls and gaining remote access,” said one facility manager surveyed as part of a nationwide security survey conducted in June by Health Facilities Management (HFM) and the American Society for Healthcare Engineering.

The vast majority of facilities are using access control and strong password requirements for authorized personnel and firewalls and mobile device passwords to protect private information, the survey shows. Growing numbers are adopting intrusion detection and mobile device management systems.

Nevertheless, many facilities still have a long way to go to achieve effective cybersecurity, largely due to changing regulations, advancing technology and the increasing expertise of hackers targeting confidential hospital information, experts say.

“Often when hospitals say they have access control, they are generally talking about having user names and passwords,” says Mac McMillan, co-founder and CEO at CynergisTek Inc., Austin, Texas. “That is nowhere near where they need to be in terms of keeping hackers out of their systems.”

Hospitals dealing with third parties, remote users and other points of access must be aware of both external and internal threats, he says.

McMillan adds that it is critical for hospitals to adopt two-factor authentication, particularly for remote users, third parties, elevated privileged accounts, etc. This is also strongly recommend by HIPAA for providing better security to EHRs. Two- or multifactor authentication combines more than one method, such as a password plus a fingerprint, hand, or retina scan (biometrics).

McMillan also recommends re-evaluating elevated privileges, which allow certain staff access anywhere on a system network. “Hospitals should eliminate any and all elevated privileges that aren’t necessary,” he says, and then move to a non-persistent model for those they need.

Due to rising targeted attacks that use specially modified malware, McMillan says the most important safeguard hospitals can adopt is advanced malware detection. Once a hacker sends out emails containing a malicious file to hospital employees, it takes just one person to open the email to unleash the malware into the network.

“Malware detection solutions generally don’t require organizations to make changes to their system’s architecture,” he says. “They don’t require a lot of heavy lifting. I’m seeing it being implemented more and more because traditional solutions aren’t working.”

Keeping the proper cybersecurity protocols in place also is critical. The survey shows that 89 percent are conducting a cybersecurity risk analysis at least once a year. McMillan says 100 percent should be conducting a risk analysis once a year — at a minimum.

“Depending on any changes to your system, you may need to do an assessment more than once a year,” he says. “But with all that’s going on out there in the health care environment, it’s really important to reassess at least once a year.”

The American Hospital Association has developed several resources to help the health IT community prevent cyberattacks in hospitals. Those, and other resources and regulations, can be accessed on its website

See the full 2016 Hospital Security Survey Special Report