A recent cybersecurity survey conducted by the Health Information and Management Systems Society (HIMSS) found that 75 percent of healthcare organizations experienced a significant security incident in the past 12 months. And, while more organizations view cybersecurity as a business priority, most healthcare organizations’ cybersecurity programs have room for improvement.
The 2018 HIMSS Cybersecurity Survey, based on the feedback from 239 health information security professionals, provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector.
“Significant security incidents at healthcare organizations have not slowed down by any means. If anything, it is projected that significant security incidents will continue to grow in number, complexity, and impact,” the report stated.
The survey found that 75.7 percent of healthcare organizations experienced a significant security incident in the past 12 months. While 21 percent said they did not have a recent significant security incident in the past year, 3 percent said they did not know.
What’s more, almost all respondents (96 percent) who said their organizations had experience a significant threat were able to characterize the threat actor. The top threat actor was the online scam artist involved in activities such as phishing and spear phishing (30 percent). Sixteen percent of respondents said negligent insiders were responsible for the most significant security incident, and another 16 percent identified hackers as the top threat actor.
Malicious insiders (4 percent), social engineers (3.7 percent, hacktivists (3 percent), and nation state actors (2 percent) also were identified as threat actors.
The majority of respondents (61.4 percent) indicated that the initial point of compromise was via e-mail (e.g., phishing e-mail). Yet others indicated that the initial point of compromise was in the “other” category (12.7 percent). For the “other” category, the initial point of compromise ranged from web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error.
A minority of respondents (about 3 percent or less) indicated that the initial point of compromise was by way of a compromised organizational website (3.2 percent), hardware or software infected with malware “off the shelf” (3.2 percent), infected or compromised mobile device or medical device (each 2.1 percent), third party websites (1.6 percent), or a compromised cloud provider/service (1.6 percent).
When looking at time to discovery of a security incident, the majority of respondents (47 percent) said it took less than 24 hours for their organization to discover the attack; 13 percent said it took one to two days and 7 percent said it took three to seven days.
The HIMSS Cybersecurity report findings also yielded a few notable themes. Healthcare organizations with cybersecurity programs are making positive efforts towards improvement. More resources are dedicated to cybersecurity programs, the report stated. The vast majority of respondents (84.3 percent) indicated that their organizations’ use of resources to address cybersecurity concerns has increased. Yet others indicated that there has not been a change in resources since last year (11 percent). Still others indicated that their organizations’ use of resources has decreased (3.3 percent).
In the 2015 and 2016 HIMSS Cybersecurity Surveys, the majority of respondents indicated that cybersecurity was a business priority for their respective organizations. In the 2017 survey, 60 percent of respondents indicated that their organization employs a senior information security leader.
More than half of respondents (55 percent) said their organizations have a dedicated or defined amount of the current IT budget allocated for cybersecurity. However, a fair amount of respondents (26.5 percent) have no specific carve out of cybersecurity within the IT budget (but, money is spent on cybersecurity).
According to the survey report, another finding is that proactive measures are being taken as a result of regular risk assessments. Penetration testing and security awareness training are regularly conducted, the report stated. A little less than half of respondents (45 percent) said risk assessments are conducted once a year.
One positive trend is that 70 percent of respondents said cybersecurity assessments were conducted as part of their organization’s due diligence analysis when acquiring a product or service for their organizations. While this is a positive trend, 26 percent of respondents said their organizations don’t do these kinds of cybersecurity assessments as part of due diligence.
According to the survey, most healthcare organizations’ cybersecurity programs have room for improvement.” Significant barriers exist for remediating and mitigating security incident, namely, personnel and financial resources. Some organizations do not yet have formal insider threat management programs. Risk assessments widely vary from organization to organization,” the report states. Almost 20 percent of respondents (16.9 percent) said no security framework, such as NIST or HITRUST, had been implemented at their respective organizations at all.
Looking to the future, healthcare organizations have certain concerns and priorities which will shape the direction of healthcare cybersecurity. “Healthcare cybersecurity is advancing with some noted improvements. However, there is always room for growth. But, cybersecurity programs cannot advance alone. Indeed, barriers such as lack of cybersecurity personnel and financial resources still persist. Accordingly, healthcare organizations (and their leaders) need to take proactive steps by instilling positive change and making cybersecurity a genuine priority. It is only then that we can move forward instead of taking one step forward and two steps back,” the report stated.
