- Ransomware, advanced persistent threats (APTs), and phishing attacks are the top most feared threats in healthcare cybersecurity, according to a recent HIMSS survey. While the majority of organizations have made efforts to prioritize their information security efforts, there is also still room for improvement.
The 2016 HIMSS Cybersecurity Survey found that over 85 percent of respondents said that cybersecurity efforts within their organization were elevated as a business priority during the past year. Specifically, 70 percent of those surveyed said they improved their network security, while 61 percent reported they improved their endpoint protection.
For the survey, HIMSS questioned 150 information security leaders who report having some degree of responsibility for information security in a US-based healthcare provider organization, such as a hospital or long-term care facility.
“Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole,” HIMSS Senior Director of Health Information Systems Rod Piechowski said in a statement. It is imperative that healthcare providers acknowledge the need to address cybersecurity concerns and act accordingly. Fortunately, the evidence from this study suggests providers are taking steps to address cybersecurity concerns.”
Piechowski added that progress still must be made so healthcare providers can ensure they stay ahead of the cybersecurity threats.
Surprisingly, not all respondents reported that they were using anti-virus and anti-malware software. Just 84.9 percent of those surveyed in acute care facilities said they used those tools, while 90.3 percent in non-acute care facilities reported that they did so.
“Without the use of a firewall (or functionally equivalent technology), providers likely lack the ability to prevent or mitigate virus, malware, and other forms of malicious or undesirable software,” the report’s authors explained. “With tens of thousands of malware variants being generated each day, this lack of defense may leave an organization wide open to compromise.”
Data encryption options are also not being implemented by all facilities, as 68.1 percent of acute providers and 48.4 percent of non-acute providers are encrypting data in transit. The numbers are similar for data at rest encryption, with 61.3 percent of acute providers utilizing it and 48.4 percent of non-acute providers encrypting data at rest.
“This, as well, leaves the door wide open to potential tampering and corruption of the data, in addition to a large potential for a breach,” the report reads. “If a computer, laptop, thumb drive, or backup were to be stolen, any person would be able to access such information.”
The pervasiveness of data security attacks and breaches is like a reason why more organizations are prioritizing information security efforts, according to HIMSS. The survey found that 80 percent of providers in 2016 admitted that their organization had experienced a recent “significant security incident.”
The authors did note that some providers may have been reluctant to share information related to security incidents, and that the 80 percent number may be under-represented.
Medical identity theft was cited by the majority of respondents - 76.7 percent - as the primary motivation behind attacks. Black market activities/organized crime was listed as the top motivational factor by 47.3 percent of respondents, with 47.3 percent also citing workforce members snooping on information of other patients.
The survey also found that a lack of appropriate cybersecurity personnel was the top barrier to mitigating cybersecurity risks, with 58.7 percent of respondents listing it. The second most common barrier was a lack of financial resources (54.7 percent) and too many emerging and new threats (49.3 percent) was the third most common barrier to mitigating cybersecurity risks.