The 2019 HIMSS Cybersecurity Survey of 166 healthcare security professionals has revealed that significant security incidents are a near universal experience in U.S. patient care organizations, with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.
The survey from HIMSS, released this week at the annual conference in Orlando, set out to provide insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber attacks and compromises impacting the healthcare and public health (“HPH”) sector.
In addition to the key finding about e-mail incidents, several other noteworthy findings from the research include:
Many positive advances are occurring in healthcare cybersecurity practices and healthcare organizations appear to be allocating more of their information technology budgets to cybersecurity.
Complacency with cybersecurity practices can put cybersecurity programs at risk. There are certain responses that are not necessarily “bad” cybersecurity practices, but may be an “early warning signal” about potential complacency seeping into the organization’s information security practices.
Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.
Digging Into the Details
When asked a question relating to significant security incidents their organization experienced during the past year, 22 percent of respondents reported they did not experience a significant security incident. These findings are in line with the 2018 HIMSS Cybersecurity Survey, where 21 percent of respondents reported that their organization had not experience a significant security incident during the previous 12 months. Researchers noted, “Hospital breaches, especially, have made the headlines. This does not diminish the fact that non-acute and vendor organizations should be less concerned about security challenges than their hospital peers.”
Respondents were also presented with an extensive listing of “threat actors” frequently associated with significant security incidents and asked to characterize the sources responsible for their organizations’ significant security incidents over the past 12 months. Almost half (48 percent) of all respondents cited two primary threat actors: online scam artists (28 percent) and negligent insiders (20 percent). Similar to 2018 findings, Online scam artists continue to be the most frequently cited threat actor (28 percent in 2019; 30 percent in 2018).
However, the report also notes that positive advances are occurring in healthcare cybersecurity practices. According to the researchers, “The notion of ‘Who would attack a hospital?” has slowly faded away as a new reality presented itself. We are all now targets of cyber adversaries and other bad actors. There are no exceptions. Fortunately, healthcare cybersecurity is a primary concern at many organizations. As a result, healthcare cybersecurity professionals have more resources and budget available to help ensure that their organizations stay ahead of the threats.”
When asked to rate the extent to which they agreed that cybersecurity professionals were empowered to drive change throughout their organizations, the majority of respondents (59 percent) indicated some level of agreement with the statement (44 percent agree and 15 percent strongly agree). However, 41 percent of the respondents stated that they did not feel empowered to drive significant change throughout their organizations.
As such, compared to last year’s results, the percent of an organization’s IT budget allocated to cybersecurity appears to be increasing. In the 2018 HIMSS Cybersecurity Survey, 21 percent of respondents indicated their organization allocated 1 to 2 percent of their IT budget to cybersecurity, whereas this year the percentage dedicating the same amount dropped to just under 10 percent.
When asked specifically how their organizations’ cybersecurity budgets compares to the previous year, 72 percent of respondents indicated their budgets increased by 5 percent or more (38 percent) or remained essentially the same (34 percent).
