A new survey of healthcare chief information and chief information security officers has found that CIOs and CISOs consider social engineering and data theft to be the most common cybersecurity threats facing their organizations. Social engineering, which includes such tactics as phishing, spear phishing and baiting, deceive employees into inadvertently creating a vulnerability on their organization’s network. The survey of nearly 200 members of the Ann Arbor, Mich.-based College of Healthcare Information Management (CHIME) and Association for Executives in Healthcare Information Security (AEHIS), listed malware and ransomware as the top ways that cyber criminals are exploiting weaknesses. CHIME and AEHIS presented the survey findings Oct. 26 to the Department of Health and Human Services (HHS) Cybersecurity Task Force. Mandated by the Cybersecurity Information Sharing Act of 2015, the taskforce has been charged with analyzing the unique challenges and barriers to cybersecurity in healthcare. It is also studying how other industries are protecting data.
CHIME and AEHIS leaders publicly released the results of the survey on Oct. 27 in a press release. The results were based on responses from 189 healthcare IT executives. Among the highlights of the survey’s findings:
> Asked what the most common threats were to their organizations, on a scale of 1 to 5, respondents cited “organized crime” as the most common threat (average: 3.77), followed by “cyberterrorism” (3.55), “data theft” (3.19), “IoT” (3.12), and “social engineering” (2.31).
> In order of perceived threat, the following threats were seen as posing the greatest concern to respondents, on a scale of 1 to 5, 5 being the highest level: denial of service (average: 2.63), botnets (2.38), insider threat (2.33), back doors (2.28), hacking (1.99), malware (1.65), ransomware (1.49). Ransomware was seen as the biggest threat among organizations with fewer than 100 beds (2.18), while denial of service attacks were seen as the biggest threat among organizations with 400 or more beds.
> Asked what their biggest vulnerabilities were from among a list of five choices, and again on a scale of 1 to 5, respondents rated “buffer overflows” the biggest vulnerability (average: 2.82), followed by “injection vulnerabilities” (2.47), “poor authentication and session management (2.23), “security misconfiguration” (2.09), and “data exposure” (1.77).
> Asked, “In your opinion, why does the business strategy not drive the security strategy?” and given seven possible reasons as choices, respondents ranked those reasons in the following order: “budgets or staffing” (5.1), “pace of change for the business (too many other initiatives)” (5.05), “Security is not considered a patient care or quality of care issue” (4.08), “Changing delivery of care models and workflows don’t address security until after the fact” (3.95), “Threat landscape changes too quickly” (3.72), “Regulatory landscape is too complex” (3.4), and “BYOD/BYOA” (2.72).
In a statement contained in the organizations’ press release, Marc Probst, chair of the CHIME board of trustees and CIO at Intermountain Healthcare, said, “The survey data is representative of what we are hearing from our colleagues across the industry. Cyber criminals are attacking us from nearly every angle. We have to be extremely vigilant in educating our staff and our business partners on how to minimize the risk of an attack. We are only as safe as the weakest link along our networks,” he added.