The State of Cybersecurity in Healthcare Organizations in 2016, sponsored by ESET, found that on average, healthcare organizations represented in this study have experienced almost one cyber attack per month over the past 12 months. Almost half (48 percent) of respondents say their organizations have experienced an incident involving the loss or exposure of patient information during this same period, but 26 percent of respondents are unsure.
The research reveals that healthcare organizations are struggling to deal with the same threats other industries face. According to 79 percent of respondents, system failures are the number one risk. The following threats are also considered serious: unsecure medical devices (77 percent of respondents), cyber attackers (77 percent of respondents), employee-owned mobile devices or BYOD (76 percent of respondents), identity thieves (73 percent of respondents) and mobile device insecurity (72 percent of respondents). Despite citing unsecure medical devices as a top security threat, only 27 percent of respondents say their organization has the security of medical device as part of their cybersecurity strategy.
With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies. Moreover, healthcare organizations have a special duty to secure data and systems against cyber hacks. The misuse of patient information and system downtime can not only put sensitive and confidential information at risk but also put the lives of patients at risk as well.
We surveyed 535 IT and IT security practitioners in a variety of healthcare organizations such as private and public healthcare providers and government agencies . Sixty-four percent of respondents are employed in covered entities and 36 percent of respondents in business associates. Eighty-eight percent of organizations represented in this study have a headcount of between 100 and 500.
With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies. Moreover, healthcare organizations have a special duty to secure data and systems against cyber hacks. The misuse of patient information and system downtime can not only put sensitive and confidential information at risk but the lives of patients as well. As shown in Figure 1, healthcare organizations are struggling to deal with a variety of threats such as system failures (79 percent of respondents), unsecure medical devices (77 percent of respondents), cyber attackers (77 percent of respondents), employee-owned mobile devices or BYOD (76 percent of respondents), identity thieves (73 percent of respondents) and unsecure mobile device (72 percent of respondents). Despite citing unsecure medical devices as a top security threat, only 27 percent of respondents say their organization has the security of medical devices as part of their cybersecurity strategy.
The following are key findings from this research:
Healthcare organizations experience monthly cyber attacks. Healthcare organizations experience, on average, a cyber attack almost monthly (11.4 attacks on average per year) as well as the loss or exposure of sensitive and confidential patient information. However, 13 percent are unsure how many cyber attacks they have endured. Almost half of respondents (48 percent) say their organization experienced an incident involving the loss or exposure of patient information in the past 12 months. As a consequence, many patients are at risk for medical identity theft. Exploits of existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old. A close second, according to 75 percent of respondents, are web-borne malware attacks. This is followed by exploits of existing software vulnerability less than three months old (70 percent of respondents), spear phishing (69 percent of respondents) and lost or stolen devices (61 percent of respondents).
How effective are measures to prevent attacks? Forty-nine percent of respondents say their organizations experienced situations when cyber attacks have evaded their intrusion prevention systems (IPS) but many respondents (27 percent) are unsure. Thirty-seven percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls but 25 percent of respondents are unsure. On average, organizations have an APT incident every three months. Only 26 percent of respondents say their organizations have systems and controls in place to detect and stop advanced persistent threats (APTs) and 21 percent are unsure.
On average, over a 12-month period, organizations represented in this research had an APT attack about every 3 months (3.46 APT-related incidents in one year). Sixty-three percent of respondents say the primary consequences of APTs and zero day attacks were IT downtime, followed by the inability to provide services (46 percent of respondents), which create serious risks in the treatment of patients. Forty-four percent of respondents say these incidents resulted in the theft of personal information.
DDoS attacks have cost organizations on average $1.32 million in the past 12 months. Thirty-seven percent of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months and cost an average of $1.32 million. The largest cost component is lost productivity followed by reputation loss and brand damage. Respondents are pessimistic about their ability to mitigate risks, vulnerabilities and attacks across the enterprise. Only 33 percent of respondents rate their organizations’ cybersecurity posture as very effective. The primary challenges to becoming more effective are a lack of collaboration with other functions (76 percent of respondents), insufficient staffing (73 percent of respondents), not enough money and not considered a priority (both 65 percent of respondents).
Organizations are evenly divided in the deployment of an incident response plan. Fifty percent of respondents say their organization has an incident response plan in place. Information security and corporate counsel/compliance are the individuals most involved in the incident response process, according to 40 percent of respondents and 37 percent of respondents, respectively.
Technology poses a greater risk to patient information than employee negligence. The majority of respondents say legacy systems (52 percent of respondents) and new technologies and trends such as cloud, mobile, big data and the Internet of Things are both increasing vulnerability and threats to patient information. Respondents are also concerned about the impact of employee negligence (46 percent of respondents) and the ineffectiveness of business associate agreements to ensure the security of patient information (45 percent of respondents). System failures are the security threat healthcare organizations worry most about. Seventy-nine percent of respondents say this is one of the top three threats facing their organizations followed by 77 percent of respondents who say it is cyber attackers and unsecure medical devices. Employee-owned mobile devices in healthcare settings are also considered a significant threat for 76 percent of respondents. Once again respondents are more concerned about technology risks than employee negligence or error. Hackers are most interested in stealing patient information.
The most lucrative information for hackers can be found in patients’ medical records, according to 81 percent of respondents. This is followed by patient billing information (64 percent of respondents) and clinical trial and other research information (50 percent of respondents). Healthcare organizations need a healthy dose of investment in technologies. On average, healthcare organizations represented in this research are spending $23 million on IT and an average of 12 percent is allocated to information security. Since an average of $1.3 million is spent annually just to deal with DDoS attacks, the business case can be made to increase technology investments to reduce the frequency of successful attacks. Most organizations are measuring the effectiveness of technologies deployed. At this time, 51 percent of respondents say their organizations are measuring the effectiveness of investments in technology to ensure they achieve their security objectives. The technologies considered most effective are: identity management and authentication (80 percent of respondents) and encryption for data at rest (77 percent of respondents).
There is much more to the report, which can download for free here.