Cybersecurity and Privacy

Cybersecurity and Security Incidents in Healthcare Infographic

Avoiding security incidents

The most recent HIMSS Cybersecurity Survey provides insight into the cybersecurity landscape of healthcare organizations based upon the feedback from 168 U.S.-based healthcare cybersecurity professionals. Healthcare organizations face a barrage of significant security incidents such as phishing, ransomware, and social engineering attacks, in addition to the challenges faced by dealing with the COVID-19 pandemic.

Significant security incidents continue to plague healthcare organizations of all types and sizes. Often, securing information and infrastructure is quite complex. Preserving the confidentiality, integrity, and availability of information are equally important. This is, however, a difficult balancing act. In this survey, 70% of respondents indicated that their organizations experienced significant incidents in the past twelve months. Other highlights include:

  • Phishing is the most common type of significant security incident. Most phishing is either general phishing or spear-phishing occurring via email. Top threat actors include online scam artists and cybercriminals.
  • Financial information is king. Threat actors typically seek the following: financial information, employee information, and patient information.
  • Workforce members are the first line of defense. Internal security teams and internal personnel, including non-IT professionals, typically report significant incidents to the organization.
  • Disruption of IT operations and business operations are typical outcomes of cyberattacks. Disruption of clinical care or damage or destruction of clinical care systems and devices also occurs.
  • Budgets are still tight and have mostly stayed static from year to year.
  • New or improved security measures are being implemented and drafting, revising, and/or testing policies, procedures, and documentation are being done as a result of security risk assessments.

The findings of the survey suggest that healthcare organizations are slowly improving their cybersecurity posture. This is not enough to keep pace with new threats. However, significant barriers to progress exist such as tight security budgets, growing legacy footprints, and a growing volume of cyber-attacks and compromises. Now, more than ever, there is a need for better cybersecurity solutions, budgets, personnel and security awareness training to help resolve these challenges.

Healthcare organizations need to make cybersecurity a fiscal, technical and operational priority. Upgrading or replacing legacy systems, conducting end-to-end security risk assessments, enhancing cybersecurity awareness and training programs, and increasing cybersecurity budgets are a few, proactive steps that can be taken. It is time for healthcare organizations to improve their security postures. Robust cybersecurity is essential for normal operations, patient safety, and data protection.

Infographic with data on cybersecurity and security incidents in healthcare

Enlarge image

Be the Change: HIMSS Global Health Conference

August 9-13, 2021

Join changemakers at HIMSS21—in person and digitally—as we reimagine health together through education, innovation and collaboration.

Reimagine with us at HIMSS21