- Hospitals and payer organizations could make major strides in improving their healthcare cybersecurity measures by hiring the right staff members and by implementing comprehensive employee education and training, according to a Merlin International and Ponemon Institute study.
Nearly two-thirds of surveyed healthcare organizations (HCOs) said they experienced a cybersecurity attack in the past 12 months, the 2018 Impact of Cyber Insecurity on Healthcare Organizations study showed.
Researchers interviewed 627 healthcare professionals, including executives/VPs, directors, managers, supervisors, and technicians/network administrators.
Over half of respondents (52 percent) stated that a lack of employee awareness and training affects the organizational approach to strong security. Seventy-four percent said that insufficient staffing was the biggest obstacle to maintaining effective cybersecurity.
“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time,” Merlin International’s Director of Healthcare Strategy Brian Wells said in a statement. “Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care.”
Fifty-eight percent of respondents cited legacy systems as the top reason why patient information is at risk. New technologies (i.e., cloud, mobile, big data, Internet of Things) were the second highest rated risk to patient data (57 percent), followed by employee lack of awareness (52 percent).
The report also showed an increase in Denial of Service (DDoS) attacks. Forty-five percent of those surveyed said their organization experienced a DDoS attack in the past 12 months that caused a disruption to operations and/or system downtime. Thirty-seven percent of respondents said the same in FY2016.
Seventy-seven percent of respondents said hackers were most interested in stealing patient medical records, with patient billing information (56 percent), login credentials (54 percent), passwords and other authentication credentials (49 percent), and clinical trial and other research information (45 percent) also highly sought after.
Researchers also noted that HCOs are improving their ability in to mitigate risks, vulnerabilities and attacks across the enterprise.
Respondents were asked to rate the effectiveness of their organization’s effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise on a scale of one to 10, with one being not effective and 10 being very effective.
Forty percent of those surveyed said their organization’s cybersecurity posture was very effective, with one-third of respondents saying the same in FY2016.
Insufficient staffing, lack of collaboration with other functions, and an insufficient budget were cited as the primary barriers to having a stronger cybersecurity program, the report showed.
More organizations are aware of potential medical device cybersecurity threats, with 35 percent of respondents saying protecting medical devices is part of their overall cybersecurity strategy. In FY2016, 27 percent of HCOs said medical devices were considered. Sixty-two percent of entities that said they do not currently address medical device security plan to do so in the next 12 months.
Over half of respondents (53 percent) said senior leadership support is the most important advantage to reducing cybersecurity threats. Understanding how to protect against cyber attacks (44 percent), considering cybersecurity threat mitigation a top priority (28 percent), and having clear leadership (25 percent) were also key ways to reduce cyber threats.
“Despite the risk of employee error, many healthcare organizations are not taking steps to increase awareness about cybersecurity threats,” report authors wrote. “Less than half (48 percent) of respondents say they have awareness programs in place.”
“These organizations typically have regular training and awareness programs, monitor employees and conduct audits and assessment of areas most vulnerable to employees’ lack of awareness,” researchers continued.
Fifty-six percent of HCOs said it was either extremely difficult or difficult to recruit IT security personnel. One-third of respondents said they have a sufficient number of in-house personnel who possess the right work histories and specialized training.
There has also been an increase in IT spending in an effort to properly respond to cybersecurity risks. Respondents reported that they are spending $30 million on IT, an increase from the $23 million in 2016.
Healthcare cybersecurity incidents are expensive, researchers noted. Remediation and technical support activities (i.e., forensic investigations, incident response activities, help desk and customer service operations) often have the highest costs, with approximately $1 million going to such activities.
Disruption to normal operations because of system availability problems was the second costliest area, accounting for $959,688.
Researchers also noted that high-performing healthcare organizations are better able to defend against cybersecurity attacks. These are respondents who rated their organizations’ effectiveness in mitigating risks, vulnerabilities and attacks against their organizations as very high (nine or higher on a scale of one to 10).
High-performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices in place. These entities are also better at increasing employee awareness about cybersecurity risks and have the technologies and in-house expertise “to prevent the loss or exposure of patient data, DDoS attacks and other attacks that evade their IPS and AV solutions.”
High-performing organizations are also more likely to have a CISO or equivalent position in place.
Healthcare cybersecurity threats are only going to continue to grow more sophisticated and impact covered entities. Organizations should ensure they are taking the time to hire the right cybersecurity and IT staff, and are regularly training those individuals.
Investing in appropriate technologies, including but not limited to data encryption, identity management and authentication, intrusion detection and prevention systems, and anti-virus/anti-malware will also be essential for cybersecurity attack prevention.