Spotlighting the Reality of Security Incidents and Other Cybersecurity Concerns in Healthcare

Healthcare organizations deal with the harsh reality of being a target of cybercriminals, social engineers, and others. These organizations contain a treasure trove of data that can be used for many purposes. Our most recent HIMSS Cybersecurity Survey shines a spotlight on this new reality.

The vast majority of healthcare organizations are experiencing significant security incidents (70% of respondents). Top significant incidents include phishing attacks (57% of respondents), credential harvesting attacks (21% of respondents), social engineering attacks (20% of respondents), and ransomware or other malware (20% of respondents). Phishing remains the top significant security incident.

Disruption is the most typical impact of significant security incident. Twenty-eight percent of respondents reported disruption of information technology operations. Twenty-seven percent of respondents reported disruption of business operations. Twenty-one percent of respondents reported that a breach or data leakage occurred. Twenty percent of respondents reported a monetary loss, such as business email compromise, wire fraud, or extortion.

Cybercrime Is up From Last Year

In terms of who is responsible for these significant security incidents, the top threat actors are online scam artists (58% of respondents) and cybercriminals (51% of respondents). Cybercrime has significantly increased since the previous year. Only 26% of respondents found that significant incidents were caused by cybercriminals according to the results from last year’s survey.

Threat actors typically seek out the following targets: 1) financial information, 2) employee information, and 3) patient information. Financial information (51% of respondents) and employee information (48% of respondents) are highly targeted according to the survey findings. Patient information is also targeted as well (34% of respondents). Financial information is highly desirable as it is used by threat actors to compromise bank accounts and divert wire transfers of funds into accounts that are controlled by them. By the same token, employee information may be used for identity theft and other fraudulent purposes. For example, an employee’s pay may be diverted to an account controlled by the fraudsters, instead of the employee’s account. In another example, employee information may be used to craft rather sophisticated phishing emails using insider information. Additionally, patient information may be sold on the black market. Such stolen patient information may be used for blackmail and/or espionage purposes, especially in the case of high-profile individuals or individuals with access to sensitive or unique information.

Phishing Continues to Put Organizations at Risk

Significant security incidents are typically the result of either a successful phishing attempt and/or human error. Specifically, phishing is generally used by attackers as a first step in comprising systems and networks. Email phishing remains the most typical initial point of compromise according to a majority of the respondents (89%). This is consistent with the last two years of HIMSS data. Human error is the second most typical initial point of compromise (35% of respondents). Human error is often the root cause of many significant incidents.

Healthcare organizations primarily rely on internal resources for discovering significant security incidents. These resources include the internal security team (75% of respondents) and other internal personnel (N=67, 57% of respondents). This is especially important since the primary means for compromising healthcare organizations is through phishing. Vigilant internal security teams and internal personnel can help mitigate potentially serious incidents. Thus, these workforce members are the first line of defense.

Lack of Resourcing Causes Challenges

Respondents generally report that 6% or less of the information technology budget is allocated for cybersecurity (42% of respondents). This finding is consistent with results from two years ago. Additionally, cybersecurity budgets typically did not change from the prior year.

Many respondents, too, are not conducting end-to-end (i.e., comprehensive) security risk assessments. Only 50% of respondents reported that their organizations are doing so in the most recent survey. This has been some improvement from the past few years (37% of respondents in 2019, 27% of respondents in 2018). But, more progress needs to be made. All respondents should be conducting end-to-end security risk assessments to protect their networks, systems and data.

Another pervasive challenge within healthcare organizations are legacy systems. Legacy systems are the norm and the footprint has grown within healthcare organizations (80% of respondents). Legacy systems put data at risk, unless sufficient compensating controls are put into place. By continuing to use these unsupported legacy systems, healthcare organizations are putting patient data and other sensitive data at risk.

Improvements Are Being Made, but Slowly

Healthcare organizations are making some improvements to their respective security postures. However, additional improvement is needed. Fortunately, there is robust guidance to help organizations improve their security posture. The U.S. Department of Health and Human Services published the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) guidance document.

The findings of the HIMSS Cybersecurity Survey suggest that healthcare organizations are slowly improving their cybersecurity posture. This is not enough to keep pace with new threats. However, significant barriers to progress exist such as tight security budgets, growing legacy footprints, and a growing volume of cyberattacks and compromises. Now, more than ever, there is a need for better cybersecurity solutions, budgets, personnel and security awareness training to help resolve these challenges.