KPMG Healthcare Cyberattack Survey: 81% of Companies Suffered an attack in Past 2 Years

A new healthcare cyberattack survey commissioned by KPMG highlights the dire state of preparedness by healthcare organizations, the severity of the current threat landscape, and the extent to which healthcare providers and health insurers are being targeted by hackers.

A healthcare cyberattack survey was sent to 161 provider organizations and 101 health insurers with annual revenues in excess of $500 million. CIOs CISOs and Compliance Offers were asked to rate their organization’s cybersecurity defenses and answer questions about the volume of cyberattacks suffered over the past two years.

A startling 81% of respondents said their organization had been attacked by hackers in the last 2 years, with 44% of respondents stating their organization has suffered between one and fifty attempted attacks, 38% said the volume was between 50 and 350, and 13% claimed more than 350 attempted hacks had taken place.

For some HIPAA-covered entities, the attacks are relentless: 13% of organizations were required to fend off daily attacks, while 12% said they were attacked between two and three times a week.

According to a report posted on the Modern Healthcare, KPMG’s Head of Health and Life Sciences Cyber Practice, Michael Ebert, said “The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health-care executives are struggling to safeguard patient records.”

The survey findings indicate the lack of preparedness for a cyberattack, with 25% of respondents claiming they either didn’t know about their real-time cyberattack monitoring capabilities, or that they lacked the technology to monitor for cyberattacks in real time. Only 53% of providers and 66% of payers said they consider themselves to be ready to defend against a cyberattack.

The healthcare cyberattack survey asked respondents about the main threats to data security. Malware was the top concern, with 65% of respondents claiming it to be the main threat. 26% said botnets were the biggest threat, while insiders were named by 26% of respondents.

The main healthcare data security concerns in 2015 are:

  • Malware – 67%
  • HIPAA violations – 57%
  • Internal vulnerabilities – 40%
  • Security of medical devices – 32%
  • Aging computer hardware – 31%

There are a number of reasons why the current threat level has risen so dramatically, which were cited as being the automation of clinical systems and the move to digital medical records, together with the ease at which data can be stolen. Thieves no longer need to enter a facility to physically remove files, data can be stolen remotely.

Outdated EHRs and old clinical applications are still in use, which contain numerous security flaws, while “variations in network systems” give criminals easy access to health data.

However, one of the main problems, especially for organizations with limited cybersecurity budgets, is the rapidly evolving threat landscape and the increasingly sophisticated methods used by hackers to gain access to data.

Healthcare Cyberattack Survey Demonstrates Lack of Preparedness

The healthcare industry is lagging behind other industry sectors when it comes to preparing for cyberattacks. The report suggests that many insurers and healthcare providers need to take a totally different approach to cybersecurity defenses, and that it may be better to start from scratch and develop a proper cybersecurity defense plan, rather than try to bolt on fixes to old systems.

Setting up a dedicated information security operations center is deemed to be essential, as is the appointment of a leader to co-ordinate cybersecurity measures, yet 25% of providers and 20% of payers did not have a dedicated team in place, while 19% of providers and 8% of payers said they had not appointed a single person to be in control of information security.

There is clearly still a lot of ground to cover to bring cybersecurity defenses up to scratch, and until that happens, hackers are likely to continue to successfully break through security defenses and steal patient data. Even when that does happen, healthcare cyberattacks are now a fact of life. It is therefore essential that healthcare providers make preparations. When the next healthcare cyberattack occurs, rapid action is required to limit the damage caused.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of