HIMSS has released the findings of its 2017 healthcare cybersecurity survey, which gives us valuable insights into the state of cybersecurity in the healthcare sector and names the top healthcare security threats.
The HIMSS 2018 cybersecurity survey was carried out on 239 respondents from the healthcare sector between December 2017 and January 2018. The findings of the survey were revealed at the HIMSS 2018 Conference & Exhibition based in Las Vegas.
36.8% of those who answered the survey had positions in executive management and 37.2% were employed in non-executive management roles. The other 25.9% were in non-management roles such as cybersecurity specialists and analysts. 41.2% of respondents were mainly responsible for cybersecurity, 32.6% had some responsibility, and 11.8% were at time responsible for cybersecurity.
Majority of Healthcare Groups Have Suffered a Significant Security Incident in the Past Year
The potential for healthcare cyberattacks is higher than ever and the past year has been a torrid year. In the past 1year, 75.7% of respondents said they had suffered a recent significant security breach. 96% of those respondents were able to characterize the threat actor to blame, with the top three being internet scam artists including phishers (37.6%), negligent insiders (20.8%), and hackers (20.1%).
61.4% of respondents stated that email was the main first point of compromise. In second place was ‘other’ which comprised compromised customer networks, web application attacks, guessed passwords, improperly configured software/cloud services, and human mistakes. In joint third – both with 3.2% of answers – was a compromised organizational website and hardware/software pre-loaded with malware infections. 11.6% stated that they did not know how the attackers obtained access to their networks/data.
In most cases (68.2%), incidents were identified internally (40.7% by security teams / 27.5% by non-security personnel). 67.7% of breaches were discovered within 7 days, with 47.1% detected within one day.
Enhancements in Healthcare Cybersecurity
The past year has seen a rise in healthcare security incidents, although the severity of data breaches has fallen year over year. This shows cybersecurity in healthcare is getting better, which was supported up by the HIMSS survey results.
84.3% of respondents said more resources are now being implemented to address cybersecurity with only 3.3% saying resources has fallen year over year. 60% of respondents said their group now employs a senior information security leader.
55.8% of respondents said a dedicated or defined amount of their current budget is given over to cybersecurity. 26.5% of respondents said there was no specific carve out for cybersecurity but money was being invested as needed or could be sought. Only 2.8% said no money is invested on cybersecurity.
HIPAA requires healthcare groups to complete regular risk assessments to identify potential threats to the confidentiality, integrity, and availability of protected health information. The survey showed healthcare groups are being proactive and are conducting risk assessments and using the outcomes to direct their cybersecurity efforts.
45.5% said they are completing security risk assessments yearly, 5.6% were conducting risk assessments every six months, 9% performed risk assessments once a month, and 9.6% said they completed risk assessments daily. Worryingly, 5.1% said they do not complete risk assessments and 4.5% conducted risk assessments less frequently than once per year.
More Room to Improvement
While cybersecurity methods are improving, there are still many areas where improvements can and should be made and too little is being done to deal with the main healthcare security dangers. The recent HIPAA compliance audits and fines for HIPAA violations have lead to many healthcare groups concentrating on HIPAA compliance, which has been a greater importance than security.
HIMSS says, in contrast to other industry sectors, healthcare sector cybersecurity programs lack maturity and that normally cybersecurity programs have only been live for five or fewer years. HIMSS suggests that even with the healthcare industry being heavily attacked by cybercriminals, “many cybersecurity professionals are still getting used to the idea that there are bad actors out there that are directly or indirectly targeting healthcare organizations.”
The main obstacles for remediating and mitigating cyberattacks were a lack of proper personnel (52.4%) and a lack of financial resources (46.6%). Other obstacles were too many application flaws (28.6%), too many endpoints (27.5%), too many new and emerging dangers (27%) not enough cyber security intelligence (23.3%) and a network infrastructure that was too complex to safeguard (20.6%).
13.3% said they had no cybersecurity employees and 43.2% said their ratio of cybersecurity staff to IT users was higher than 1:500.
The majority of groups are spending 6% or less of their IT budgets on cybersecurity, 16.9% of groups had not adopted a cybersecurity framework, and 37.1% of organizations only carried out penetration tests yearly. Even though the threat from within is serious, 24.2% of healthcare groups did not have an insider threat management program and 27% said they had such a program but it was informal.
Phishing and email attacks are significant concerns and are behind most healthcare security breaches and OCR has also made it clear that phishing and security awareness training should be an ongoing action, yet 51.8% of healthcare groups are still only conducting security awareness training yearly. Only 32.9% said they test their worker phishing awareness with phishing simulations.
Main Healthcare Security Threats
There are many healthcare sector security threats, although some are thought to pose more of a danger than others. There was little to choose between the three main danger to network and data security. Data breaches and data leakage were listed as top healthcare security threats by 11.8% of respondents, ransomware was in second place ranked as a top cybersecurity threat by 11.3% of respondents, with credential theft malware in third place on 11%. Malicious insiders were seen as a significant threat by 10.1% of respondents and wiper malware was ranked as a serious threat by 10% of respondents.
When answering question regarding future cybersecurity priorities the main areas were incident response (11.9%), risk assessment and management (11.9%), business continuity and disaster recovery (11.8%), awareness training programs (11.6%), cloud security (11.2%), website security (10.8%), physical security (10.7%), and information sharing (10.4%).