A strong cybersecurity posture in healthcare is critical to patient safety. Attacks on patient information, medical devices and a hospital’s systems and operations can have a variety of serious consequences. These can include disrupting the delivery of services, putting patients at risk for medical identity theft and possibly endangering the lives of individuals who have a medical device.
To determine the prognosis for healthcare organizations’ ability to reduce cyber attacks, Ponemon Institute conducted The State of Cybersecurity in Healthcare Organizations in 2018,, sponsored by Merlin. We surveyed 627 IT and IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. According to the research, spending on IT increased from an average of $23 million in 2016 to $30 million annually and the average number of cyber attacks each year increased from 11 to 16. On average, organizations spend almost $4 million to remediate an attack.
Healthcare organizations are not immune to the same threats facing other industries. The threats that are the source of most concern are employee errors and cyber attacks. However, third-party misuse of patient data, process and system failures and insecure mobile apps also create significant risk.
The following factors are affecting healthcare organizations ability to secure sensitive data and systems
- The existence of legacy systems and disruptive technologies, such as cloud, mobile, big data and Internet of Things, put patient information at risk.
- More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs).
- Disruptions to operations and system downtime caused by denial of service (DDoS) attacks are increasing.
- Healthcare organizations are targeted because of the value of patient medical and billing records.
- Not enough in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks.
Best practices from high- performing healthcare organizations
As part of the research, we did a special analysis of those respondents (59 respondents out of the total sample of 627 respondents) who rated their organizations’ effectiveness in mitigating risks, vulnerabilities and attacks against their organizations as very high (9+ on a scale of 1 = low effectiveness to 10 = high effectiveness. These respondents are referred to as high performer and the analysis is presented in this report.
According to the research, these high-performing organizations are able to significantly reduce cyber attacks. Following are characteristics of high-performing organizations:
- More likely to have an incident response plan and a strategy for the security of medical devices.
- Technologies and in-house expertise improve their ability to prevent the loss or exposure of patient data, DDoS attacks and other attacks that evade their IPS and AV solutions.
- High-performing organizations are better at increasing employee awareness about cybersecurity risks.
- High-performing organizations also are more positive about the ability to ensure third-party contracts safeguard the security of patient information.
- High-performing organizations are more likely to have the necessary in-house expertise, including a CISO or equivalent.
Part 2. Key findings
In this section, we provide a deeper analysis of the research. When possible, we compare the findings in this year’s research to the 2016 study.
Trends in risks facing healthcare organizations: Why more cyber attacks are occurring
Patient information is under attack and at risk. Annually, on average healthcare organizations experience 16 cyber attacks, an increase from 11 attacks in the 2016 study. As shown in Figure 2, more than half (51 percent of respondents) say their organizations have experienced an incident involving the loss or exposure of patient information in the past 12 months, an increase from 48 percent in 2016.
Healthcare organizations are experiencing ransomware attacks. For the first time, ransomware attacks were included and 37 percent of respondents say their organizations experienced such an attack. While some security incidents decreased, healthcare organizations continue to be at great risk from a variety of threats.
More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs). Our survey shows 56 percent of respondents say their organizations have experienced situations where cyber attacks evaded their intrusion prevention, an increase from 49 percent of respondents in 2016. Forty-four percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls.
More organizations have systems and controls in place to detect and stop advanced persistent threats (APTs). Thirty-three percent of respondents say their organizations have systems and controls in place to detect and stop APTs, an increase from 26 percent of respondents in 2016.
Denial of service (DDoS) attacks increase. Some 45 percent of respondents report their organization had a DDoS attack, an increase from 37 percent of respondents in the 2016 research. On average, organizations experienced 2.94 DDoS attacks in the past 12 months, an increase from 2.65 in 2016.
Hackers are most interested in stealing patient information. The most lucrative information for hackers can be found in patients’ medical records and billing information according to 77 percent and 56 percent of respondents, respectively.
What types of information do you believe hackers are most interested in stealing?