HIMSS Survey: Most Healthcare Organizations Have Suffered Data Breaches
For the second straight year, healthcare data breaches were cited as a top threat to the industry, according to the annual HIMSS Cybersecurity Survey. Healthcare ransomware and malware that steals credentials are also key worry areas for information security professionals.
Seventy-five percent of the 239 healthcare respondents said that their organization experienced a significant security incident in the past 12 months. Nearly all of those entities (96 percent) were able to identify the threat actor.
Thirty-seven percent of respondents that experienced a security incident in the past 12 months said it was due to an online scam, such as phishing or spear phishing. Twenty percent of those surveyed attributed the attack to a negligent insider, with another 20 percent saying a hacker caused the issue.
Approximately 62 percent of respondents pinpointed email as the initial point of compromise. The second most common point of compromise was “other,” which included web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error.
“With the plethora of tools available to generate phishing e-mails and relative ease to generate and send targeted e-mails or mass e-mails (plus, relatively little time commitment), it is not surprising that phishing is the most popular initial point of compromise for recent significant security incidents,” report authors explained. “The likelihood of exploitability via phishing e-mails is high for reasons such as these.”
Healthcare organizations are making progress in improving their cybersecurity programs, the report showed. Eighty-four percent of respondents stated their organizations’ use of resources to address cybersecurity concerns has increased. Eleven percent said there has been no change of resources in the last year, while 3 percent noted a decrease in resources.
Over half (55 percent) of those surveyed said their organization has a dedicated or defined amount of the budget for cybersecurity needs. Twenty-six percent of respondents stated their entity does not have a specific amount for cybersecurity, but that money is spent on it.
Forty-five percent of respondents said a security risk assessment is conducted at least once per year, with 9 percent reporting one is conducted once a month. Approximately 10 percent stated their organization conducts a security risk assessment on a daily basis.
Healthcare organizations are also fairly uniform when it comes to their security risk assessment process, the survey found. The following areas are what respondents said are included in their security risk assessments:
- Cybersecurity policies and procedures, documentation (81.3 percent of respondents)
- Network (74.7 percent of respondents)
- Security awareness and training program(s) (73.5 percent of respondents)
- Physical security (71.1 percent of respondents)
- Inventory assets (69.3 percent of respondents)
“Risk assessments are done for a purpose—namely, managing risk (not just merely identifying and assessing risks, with nothing more),” report authors wrote. “New or improved security measures may be adopted, security solutions may be upgraded or replaced, and hardware, software, and devices may be replaced.”
“The results of risk assessments may even indicate a need to test things further (e.g., penetration testing).”
Approximately 83 percent of those surveyed said their organization adopted new or improved security measures because of the risk assessment results, while 65 percent said they replaced or upgraded security solutions. Just over half (56.6 percent) stated hardware, software, or devices that were end of-life or that have been deprecated were replaced. Those replaced items were not related directly to IT security, such as firewalls or IDS.
Having the right cybersecurity personnel on staff and a lack of financial resources were the top two barriers for cybersecurity remediation and mitigation, the survey found.
Twenty-two percent of respondents said there was a 1:100 ratio of cybersecurity staff to IT users at their organizations, while 17.7 percent reported having more than 1:1000.
Healthcare organizations need to allocate more of their IT budgets to cybersecurity, researchers determined. Twenty-one percent of those surveyed said their organization allocated 1 to 2 percent of the IT budget to cybersecurity and 21 percent devoted 3 to 6 percent of the budget.
Having a universal cybersecurity framework could be greatly beneficial to the industry, the research team stated. Nearly 58 percent of respondents said their organization utilizes the NIST Cybersecurity Framework, with HITRUST (26.4 percent) and Critical Security Controls (24.7 percent) also in the top three.
“Before healthcare cybersecurity can improve, all healthcare organizations need to get on the same page,” researchers explained. “One of the ways to achieve this is through the adoption of a universal security framework. Unfortunately, we are not there yet.”
Establishing an insider threat management program and conducting more penetration tests will also be critical for improved cybersecurity, the report stated.
An insider threat management program can include policies, controls, and the involvement of management within an organization to address and mitigation the threat, according to HIMSS. Nearly 45 percent of respondents said their organization had such a program established, with 27 percent saying there was an informal program in place.
Thirty-seven percent of those surveyed reported that penetration testing is done once per year, while 8.2 percent conduct penetration testing more frequently than once a year.
Penetration tests should be done frequently and regularly, HIMSS researchers advised. This security measure can reveal issues that risk assessments may miss, including uncovering vulnerabilities, the exploitability of such vulnerabilities, and the potential impact to the organization.
The 2017 HIMSS Cybersecurity Survey indicated that medical device security was a top provider concern. Respondents in the 2018 survey showed a continued worry in this area, and stated that patient safety was the top medical device security concern (39 percent).
“Medical devices can be life-sustaining or life-saving,” researchers wrote. “Many of these medical devices are now ‘connected.’ Accordingly, there is the possibility of a compromise, such as a cyber-attack, which may affect the operations, configuration, and/or safety of the medical device itself.”
Future healthcare cybersecurity priorities were fairly evenly distributed, the report showed. Incident response (11.9 percent), risk assessment and management (11.9 percent), business continuity and disaster recovery (11.8 percent), awareness training program (11.6 percent), and cloud security (11.2 percent) were the top priorities.
“Healthcare cybersecurity is advancing with some noted improvements,” researchers concluded. “However, there is always room for growth. Healthcare organizations (and their leaders) need to take proactive steps by instilling positive change and making cybersecurity a genuine priority.”
- 1. ACOs may affect physician employment patterns, JAMA study finds
- 2. OIG: CMS paid out $434M in improper premium assistance payments
- 3. Opioid prescriptions aren’t decreasing, study finds
- 4. ACOs using medical home physicians save money, yield higher quality, report finds
- 5. Uninsured rate stays stable in 2018
Affordable Care Act (ACA)
chronic care management
Doctors Administrative Solutions
electronic health records
Merit-based incentive program
quality payment program