- The healthcare sector will remain one of the most targeted industries by cyberattackers because of its valuable healthcare data, judged a report published Sept. 6 by Marsh & McLennan Companies' Global Risk Center.
In fact, more than one-quarter of healthcare organizations reported they had been victims of a cyberattack. This is more than financial institutions (20 percent) and nearly twice the rate in the communications, media and technology sector (14 percent).
The report’s data is taken from a survey of 1,312 senior executives conducted by Marsh in partnership with Microsoft.
Most healthcare organizations see the financial impact of a cyberattack on their industry to be significant, with 70 percent estimating the financial cost per attack as $1 million or more. Business interruption and leak of patient data are the most critical loss scenarios for healthcare cyberattacks.
Half of the respondents from the healthcare industry said they are not confident about managing and recovering from a successful cyberattack.
Almost two-thirds of healthcare organizations have not developed a cyber incident response plan. Alarmingly, 37 percent of respondents are not sure of the reasons behind the lack of a cyber response plan, while only 22 percent are confident that their organization’s cybersecurity and firewalls are adequate.
At the same time, healthcare organizations have taken a number of actions over the last 12 to 24 months to improve their cybersecurity posture:
- Conducted security gap assessment (60%)
- Conducting phishing awareness training for employees (58%)
- Implemented improved vulnerability and patch management (52%)
- Deployed encryption on desktops and laptops (52%)
- Instituted multifactor authentication for remote access to private networks (50%)
- Conducted penetration testing (42%)
- Made tangible improvements to cyber event detection (41%)
- Implemented a data loss prevention solution (39%)
- Developed a cyber incident response plan (35%)
- Reduced external system connectivity (34%)
More than half of healthcare respondents said their organizations measure their cyber risk exposure. Of those who do measure, 74 percent use “maturity levels” to benchmark against their peers, 30 percent use economic quantification, 23 percent use descriptive or qualitative rankings without categories, 16 percent use numerical rankings within a fixed framework, and only 16 percent use the NIST Cybersecurity Framework.
The report noted that proactive measures are needed to increase visibility of cyber risk issues within a healthcare organization and distribute cyber risk management responsibility across the organization.
Unfortunately, many healthcare organizations have yet to set up and implement a holistic framework, governance, and adequate board oversight. Eighty-three percent of healthcare respondents indicated that responsibility for cyber risk sits mainly in IT and they are the primary owners and decision-makers for managing cyber risks.
Cyber risk is not receiving sufficient visibility at the board level. Less than half of healthcare organizations include cyber risk-related issues in regular reporting to the board.
The report recommended a series of measures healthcare organizations can take to prevent threats, including the development of a cyber incident response plan, conducting a cybersecurity gap assessment, and holding phishing awareness training for employees.
Another security measure is the purchase of cyber insurance. Close to half of the healthcare respondents said their organization had cyber insurance, 14 percent said they plan to purchase or increase cyber insurance, 15 percent said they did not have cyber insurance and had no plans to purchase it, and 22 percent didn’t know if they had cyber insurance.
The lack of internal agreement on the need for cyber insurance and insufficient budget/resources are major impediments to cyber insurance adoption in the healthcare industry.
It is “important to prioritize the right skillsets within healthcare organizations to ensure that technologies and security can continually improve,” the report noted.
“Most importantly, there must be a mindset and behavioral shift, through education or campaigns, to instill a culture of cyber-awareness among all stakeholders – the public, patients, and the healthcare workforce, who will have greater access to medical records on more devices and platforms than before,” the report concluded.