Cybersecurity in Healthcare and Public Health: Highlights from the 2018 HIMSS Survey
HIMSS released their 2018 HIMSS Cybersecurity Survey report included healthcare providers, vendors and consultants. Respondents’ roles included executive management, non-executive management and non-management professionals. The 2018 HIMSS Cybersecurity Survey sought to answer two overarching questions:
- How far has the healthcare and public health (HPH) sector progressed in cybersecurity?
- Who is doing what in cybersecurity?
Respondents were polled about whether their organizations experienced a significant security incident in the past 12 months. A majority number of respondents, 75.7 percent, stated their organizations did experience a significant security incident. However, 21.2 percent of respondents claimed their organizations did not.
Respondents whose organizations who experienced a recent significant security incident to characterize the threat actor, were asked the type of actor they believe were responsible for the recent significant security incident. The top type of threat actor was the online scam artist (e.g., phishing, spear phishing) at 37.6 percent of respondents. Negligent insiders, 20.8 percent of respondents, and hackers, 20.1 percent of respondents, were also frequently identified as threat actors responsible for the recent significant security incident.
By far, the initial point of compromise was email for organizations experiencing a recent significant security incident at 61.9 percent of respondents. Other responses ranged from compromised organizational websites to compromised cloud provider/service. Generally, 2 percent or 3 percent of respondents indicated initial points of compromise such as these.
A significant number of respondents, 84.3 percent, indicated that their organizations have increased the use of resources (e.g., people, assets, other resources) compared to last year. Unfortunately, however, significant barriers to mitigating and remediating security incidents included lack of people, 52.4 percent of respondents, and lack of financial resources, 46.6 percent of respondents.
Coupled with the usual state of hospitals running on thin profit margins (with some in the “red”), healthcare organizations struggle with providing enough money, resources and people to run their cybersecurity programs.
On a positive note, however, risk assessments are generally done at least once a year, 69.7 percent of respondents; taking proactive actions post-risk assessment, such as adopting new or improved security measures, 83.1 percent of respondents; replacing or upgrading security solutions, 65.1 percent of respondents; or replacing hardware, software, devices, etc., that are end of life or have been deprecated, 56.6 percent of respondents.
However, less than half of respondents, 44.9 percent, indicated that their organizations have formal insider-threat management programs.
While there is definitely room for improvement, compared to the previous few years, there is some positive movement in regard to cybersecurity programs, instead of a “flatline” trend. Yes, healthcare cybersecurity programs are making progress—we are alive and kicking.