Cybersecurity News

90% Hospitals, Health Systems Faced Email-Based Cyberattack in 2019

Mimecast and HIMSS Media say hospitals and health systems are failing to prioritize employee security awareness training, as 90 percent experienced an email-related cyberattack in the last year.

healthcare email security employee security awareness training cyber hygiene risk management cybersecurity

By Jessica Davis

- The overwhelming majority of hospitals and health systems experienced an email-based cyberattack in the last year, with 72 percent experiencing downtime due to the security incident, according to a joint report from Mimecast and HIMSS Media.

The report reconfirms last year’s results, which showed the healthcare sector’s email security defenses lag behind other industries.

HIMSS Media surveyed hospital and health system leaders tasked with significant involvement with email security investments on behalf of Mimecast in November to get a sense of the threat landscape around email and data security within those environments.

According to the report, one out of four of these email-related attacks was rated very or extremely disruptive. Those organizations that faced the most disruptions in the last year were hit most frequently by attacks that impersonated trusted vendors or partners (61 percent) or credential-harvesting phishing attacks (57 percent), compared to other email-targeted attacks.

The findings mirror an earlier report from the Ponemon Institute that showed 14 percent of insider incidents involved hackers stealing credentials, which cost the sector $2.79 million each year. Credential theft was also behind the majority of phishing attacks in 2018.

The Mimecast/HIMSS Media report also showed that those that faced downtime named productivity (55 percent), data (34 percent), and financial (17 percent) as the three most common types of loss.

“The stat is remarkably consistent with other industries and other surveys,” said Matthew Gardiner, director of enterprise security marketing at Mimecast, in a statement. “Email attacks are so prevalent because email is one of the most ubiquitous applications in the world.”

“It’s easy for an attacker to reach into an organization via email. All an attacker needs to know is someone’s email address,” he continued. “All the reasons email is useful for legitimate purposes, make it useful for malicious purposes. Ultimately, email attacks are prevalent because they work.”

The effectiveness of these attacks also stems from failures with healthcare organizations’ employee security awareness training, a key part of any comprehensive cyber resilience program. In fact, 40 percent of respondents provide security training less than once per quarter, despite 77 percent saying its essential to protecting their organization against these types of cyberattacks.

Even worse, 11 percent admitted they only offered onboarding training or ad hoc training after a negative incident, rather than performing training on a schedule timeframe. And 27 percent only perform training once a year. Just 23 percent provide continuous employee security training.

For Gardiner, healthcare organizations are better off giving just 5 minutes of training once a month, rather than 15 minutes every quarter, as the increased frequency keeps the information at the top of the employee’s mind.

On a positive note, three-quarters of healthcare organizations have a cyber-resilience plan in place or plan to implement one in the near future. These providers have also made strong investments into cybersecurity tech, such as firewalls (80 percent), email security systems (79 percent), data backup and recovery (78 percent).

However, the researchers noted that until all providers implement these technologies, the sector remains in “considerable risk.”

“People frequently fixate just on the technologies and assume they are protected because they are using an antivirus system, a backup system, an email security system, and other tools,” Gardiner explained. “All of this is good. However, information technology professionals also need to think about other elements of a program.”

“IT professionals should focus on creating business processes that can shield them from attacks, on optimizing security tools, and on delivering effective staff education,” he added. “The problem is that people think, because they’re implementing some aspects of cyber resilience programs, they’re resilient. However, when they operate in the real world, they find that, unfortunately, they are not as protected as they thought, and they get disrupted. So, they need to re-scrutinize their resilience program.”

As hackers continue to target the healthcare sector with social engineering and email spoofing and cybercriminals continue to improve the sophistication of these attacks, bolstering email security will prove crucial for providers.

Some industry stakeholders have noted that taking some of the decisions away from users can reduce risk, while Microsoft found that 99.9 percent of automated cyberattacks are blocked with the use of multi-factor authentication.

Microsoft also recently shared some insights around email security that can help organizations improve their security posture. A 2019 JAMA study showed that phishing education and training can drastically reduce healthcare’s cyber risk.