There has been an increase in cyberattacks on hospitals in 2017, according to a recent Mimecast survey. The survey was conducted on 76 healthcare IT professionals in the United States. 78% said they had experienced a cyberattack in the past 12 months.
Cyberattacks on hospitals take many forms. Hackers often take advantage of poor patching policies and misconfigured servers and databases, although email is the primary attack vector.
When email-based attacks occur, it typically results in email downtime – A major problem in the healthcare industry. 93% of respondents said email is critical to their organization, and half of respondents said they simply could not cope with email downtime. Ensuring email systems are protected, and kept up and running, is therefore essential.
When asked about the biggest email-related concern, the top threat was seen to be ransomware, which was rated as the most worrying email-related threat by 83% of respondents. The second biggest threat was perceived to be malware, followed by phishing attacks and BEC scams. 97% of respondents to the survey said they had a high level of concern about cybersecurity and their ability to repel attacks.
When healthcare email accounts are compromised, the attackers gain access to the protected health information of patients, which can be used for a wide range of malicious purposes. The survey indicates four out of five healthcare organizations send protected health information by email.
Healthcare organizations are covered by HIPAA legislation, which requires breaches of PHI to be reported and patients to be notified. The Department of Health and Human Services’ Office for Civil Rights investigates all breaches of PHI that impact 500 or more patients, and there are severe fines for organizations that are discovered to have failed to implement appropriate defenses to protect against phishing and other e-mail related threats. Multi-million-dollar fines are a very real possibility.
With email so critical and the financial penalties for noncompliance with HIPAA so severe, it is no surprise that healthcare organizations are investing heavily in cybersecurity defenses to protect their email systems. 94% of respondents said the were currently working on initiatives to prevent malware, ransomware and phishing attacks.
90% said they are now training their employees to be more security aware, and 77% said they are deploying solutions to keep their email systems secure.
“It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do,” said Mimecast cyber resilience strategist David Hood.