- The healthcare sector is continuing to make positive improvements around cybersecurity, with many allocating more budgets to shore up threats. However, legacy systems and failure to perform phishing tests “raise grave concerns” around the security of the healthcare ecosystem, according to the 2019 HIMSS Cybersecurity Survey.
HIMSS gathered feedback from 166 health information security professionals to gain insight into the security experiences and practices of US healthcare organizations from November to December 2018. The found a number of overlying trends, including a pattern of cyber threats across the sector.
Here are some of the biggest takeaways.
Threats Continue to Proliferate
According to 48 percent of respondents, online scam artists (28 percent) and negligent insiders (20 percent) were the biggest threats to their organization. These threats are similar to those seen in the 2018 version of the report. The majority were caused by bad actors, 56 percent of respondents said.
Further, one-third of security incidents were related to negligent insiders or actors with “benign motivations.” As a result, stakeholders need to be better educated on security best practices and IT leaders need to ensure adoption of these policies.
“In other words, the significant security incidents were not caused intentionally by this latter group, but rather were due to lapses in security practices and/or protocol,” the report authors wrote.
Email was also a prime source of compromise for many of these significant security incidents, 59 percent of respondents said. Human error was the second initial point of compromise, according to 25 percent.
These numbers are not surprising, as email holds a trove of data, and phishing emails are inexpensive to generate, the report authors explained. Commonly, online scam artists masquerade as senior leaders within an organization and request sensitive data.
“While phishing continues to be a very effective approach for compromising the integrity of an organization, advances in security defensive efforts may push bad actors to look to exploit other points of compromises,” the report authors wrote. “Security leaders therefore need to diligently watch other areas of compromise.”
As for human error, the report found this compromise is often caused by accidentally posting patient information to a public-facing site, accidentally leaking or breaching data, or just simple mistakes. Credential compromise from vendors or other clients was also identified as an initial point of entry.
“There is a pattern that is discernable: Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets,” the report authors wrote.
However, insider threats are also common, as both securing and managing cybersecurity programs are challenging, to internal data use and the need to exchange data with a wide variety of outside organizations for care delivery, the report found.
The result of the frequency and complexity of data exchange poses serious challenges, with just 22 percent of respondents reporting they didn’t experience a significant security incident in the last year.
“With approximately two-thirds of non-acute and vendor organizations reportedly experiencing a security incident in the past 12 months, security challenges are very real concerns for leaders in these types of settings,” the report authors wrote.
The report noted that the trend is seen throughout healthcare. According to the Department of Health and Human Services’ Office for Civil Rights breach reporting tool, about 15 percent of health providers experienced a breach caused by hacking or an IT incident in the last two years.
It’s important to note that not all security incidents are breaches and therefore aren’t included in the OCR tally.
Resources play a significant role in the ability to detect and respond to these threats. Nearly half of respondents (46 percent) named the internal security team as the ones responsible for uncovering these incidents, and 36 percent said it was internal personnel.
But much like with the trends found in 2018, “external resources continue to play a secondary role in the detection of information security incidents.”
The report authors stressed that organizations need to devote necessary resources to bolster their security defenses, including the additional of additional security awareness training and education for all staff – not just for those who deal with security on a daily basis.
Further, those tasked with security should receive additional training around the latest threats – and how to prevent them, the report authors wrote. “This includes giving healthcare cybersecurity professionals time off to take training classes and education and paying for them, as well.”
“Regular education and training is necessary to arm healthcare cybersecurity professionals with the knowledge and know-how to handle a variety of security incidents and know how to prevent, mitigate, and/or remediate them,” they added.
On a Positive Note
Healthcare security awareness is a primary concern of most organizations, according to the report. As a result, many are receiving the budget and resources to keep up with the ever-expanding threat landscape.
In fact, 59 percent of respondents agreed that they felt empowered to drive change throughout their organization. On the other hand, 41 percent of respondents said they didn’t feel impactful in that regard.
To combat this, the report authors recommended that “rather than being ‘hermetically sealed off’ from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations.”
Also notable, 55 percent of respondents reported some designated amount of their current IT budget is allocated to cybersecurity, in varying degrees. And 26 percent of respondents operate in a health system that does spend funds on cybersecurity, despite no cybersecurity carve out in the IT budget.
Further, the amount designated to cybersecurity are increasing, with 72 percent of respondents indicating their budgets increased by 5 percent or more or remained essentially the same.
Lastly, security risk assessments are universal practices and are relatively uniform across the healthcare sector. Virtually all respondents said their organizations conducted risk assessments, with just 4 percent saying they did not.
For about 70 percent, these assessments included work stations and servers, networks, inventory of assets, physical security, clinical information systems, business and financial systems, and cybersecurity roles and responsibilities. The report authors note that 2019 assessments were much more uniform than in 2018.
Thirty-seven percent of respondents also stated their organization conducts end-to-end security risk assessments, as well – up from just 26 percent in 2018.
“The trajectory for risk assessments appears to be moving in a positive direction,” the report authors wrote. “While the best type of a security risk assessment is end-to-end… it’s good to see a more cohesive, holistic approach to conducting security risk assessments.”
“That all said, OCR recommends that the security risk assessment should be conducted accurately and thoroughly for the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the healthcare organization,” they added.