Topics
More on Operations

Significant cybersecurity incidents are a 'near universal experience' in U.S. healthcare, HIMSS Cybersecurity Survey finds

Threats permeating the healthcare landscape are often initiated by bad actors, but cybersecurity pros are feeling more empowered to effect change.

Beth Jones Sanborn, Managing Editor

Significant cybersecurity incidents are a near universal experience in U.S. healthcare, and major gaps exist in the healthcare space, including a lack of phishing tests and legacy systems, but positive progress shines through as well. Those are key findings of the 2019 HIMSS Cybersecurity Survey published last week at HIMSS19 in Orlando.

The universal threats permeating the healthcare landscape are often initiated by bad actors, with email being the most common point of entry. Only 22 percent of respondents said they had not experienced a significant security incident over the past year, and the survey found that hospitals still face frequent threats.

Bad actors initiated many of the incidents, with online scams responsible for 28 percent of incidents and negligent insiders being the culprits in 20 percent. Overall, the majority of threat actors (58 percent) were cybercriminals and others with "malicious intent."

Their most common pathway in? Email, according to 59 percent of respondents. Conversely, the most valuable assets in discovering security incidents seem to be internal. When asked who or what helped uncover an incident, 46 percent of respondents said it was their internal security team and another 37 percent cited internal personnel, making clear the value of staff training and stocking your own security force, however small it might be.

"It is incumbent on healthcare leaders to ensure internal personnel have the training and resources needed to ensure robust internal information security practices are in fact practiced," the report said.

The pervasive vulnerability of healthcare can be attributed to key gaps in practices and policies, opening organizations to threats. For example, despite phishing being widely regarded as the most popular form of attack, researchers found a stunning lack of phishing tests, with 18 percent of respondents saying they don't do them and 36 percent of non-acute care organizations saying the same.

Also, 69 percent of respondents said they have some sort of legacy system in place at their healthcare organization. "Running a legacy operating system is an ill-advised practice. Operating systems that have been unsupported for five, ten, or more years (decades in some cases) greatly increases a healthcare organization's risk of being compromised. This is particularly significant in light of recent international cyber-attacks such as WannaCry and NotPetya," the report said.

The report does point to important progress being made in healthcare cybersecurity practices that, if built upon, could better secure the healthcare space. First, results show that the majority of cybersecurity professionals are feeling at least somewhat more empowered to drive change in the industry.

Another important development is the growing validation of cybersecurity as a system-wide priority, and so there has been an increase in the allocation of funds in IT budgets for cybersecurity efforts, with 55 percent of respondents saying some portion of their IT budget is going to cybersecurity. The amounts allocated are growing too, as 72 percent said their cybersecurity budgets had grown by at least 5 percent.

Security risk assessments are growing in utilization, with only 4 percent of respondents saying their organizations didn't conduct them and 70 percent of respondents saying they were covering at least eight of the 13 common components of risk assessments in their effort.

The survey reflects feedback from 166 U.S.-based health information security professionals.