- LAS VEGAS - Healthcare cybersecurity must improve, as organizations average about one healthcare cyber attack per month, according to a recent Ponemon survey.
In The State of Cybersecurity in Healthcare Organizations in 2016, Ponemon also found that 48 percent of those surveyed said their organizations have experienced an incident involving the loss or exposure of patient information during the last year. However, only half of respondents also said that their organization currently has an incident response plan in place.
For the survey, 535 IT and IT security practitioners in small- to medium-sized healthcare organizations in the U.S. were interviewed. Furthermore, 64 percent are employed by HIPAA covered entities, while 36 percent work for business associates of covered entities.
"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement. "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records.”
Ponemon added that healthcare organizations are therefore “under more pressure than ever” to ensure that their cybersecurity strategies have been perfected.
The survey also showed that 78 percent of respondents reported that the most common security incident is the exploitation of existing software vulnerabilities greater than three months old. Seventy-five percent of those surveyed said that Web-borne malware attacks were the most common.
The following were listed as top security threats for healthcare organizations, with respondents able to list more than one as their main concern:
- System failures (79 percent)
- Unsecure medical devices (77 percent)
- Cyber attackers (77 percent)
- BYOD (76 percent)
- Identity thieves (73 percent)
- Mobile device insecurity (72 percent)
Perhaps unsurprising, was that 81 percent of those surveyed said that patient medical records were the most attractive and lucrative target for unauthorized access.
However, employee negligence is also a factor when it comes to inappropriate PHI access. Specifically, 46 percent cited concern over employee negligence, while 45 percent were worried about “the ineffectiveness of HIPAA-mandated business associate agreements designed to ensure patient information security.”
Respondents were also somewhat unsure when it comes to the effectiveness of their organization’s ability to prevent attacks. For example, 49 percent said their organizations experienced situations where cyber attacks have evaded their intrusion prevention systems (IPS), while 27 percent said they are unsure.
“Respondents are pessimistic about their ability to mitigate risks, vulnerabilities and attacks across the enterprise” the report stated.
This is supported by the fact that just one-third of respondents called their organizations’ cyber security posture very effective. The primary challenges in building effectiveness were the following:
- 76 percent said a lack of collaboration with other functions
- 73 percent said insufficient staffing
- Both 65 percent reported not enough money and not considered a priority.
"The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels,” explained Stephen Cobb, senior security researcher at ESET, which sponsored the survey. “A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms.”
Specifically, Cobb cited effective DDoS and malware protection, strong authentication, encryption and patch management, as areas that organizations must improve for stronger healthcare cybersecurity.
In terms of investment, the survey showed that there is room for improvement when it comes to information security. Respondents average $23 million annually on IT, according to Ponemon, while 12 percent on average is dedicated to information security.
“Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks,” Ponemon explained in a statement.
Image Credit: Ponemon