- A ransomware attack is the type of cyberattack that most worries healthcare IT professionals, according to a survey of 102 HIMSS18 attendees by security firm Imperva.
Almost 10 percent of those surveyed had paid a ransom or extortion fee, while almost half didn’t know if they have paid a ransom or not.
Other types of cyberattacks that concerned respondents included insider threats, compromised applications, and distributed denial of service (DDoS) attacks.
More than one-third of healthcare organizations have suffered a cyberattack within the last year, the survey found.
More than three-quarters of respondents said they were very concerned about a cybersecurity event striking their organization and 15 percent admitted that their ability to handle a cyberattack needed work or a complete overhaul.
A jaw dropping 28 percent of respondents said their organization did not have a senior information security leader, although 14 percent were looking to hire someone in the next 12 months.
One-quarter of respondents did not have a cyber incident response plan in place; one could assume that these respondents come from the same organizations that didn’t have a senior information security leader.
“Attackers understand the value of the data held by healthcare organizations, and as a result, they are quickly becoming a sweet spot for hackers looking to steal large amounts of patient records for profit,” said Imperva CTO Terry Ray.
“There have been a number of incidents recently where cybercrime has impacted hospitals and left them unable to access patient data, which demonstrates the consequences of a successful attack. It is crucial that healthcare organizations take steps to protect their data. To retain patient trust, organizations must provide an excellent defense at all times,” Ray added.
Regarding insider threats, a majority of respondents were most concerned about careless users. Additionally, 27 percent said a lack of tools to monitor employees and other insider activities made detecting insider threats difficult. Thirty-two percent indicated that collecting information from diverse security tools is the most time-consuming task when investigating or responding to insider threats.
“As we’ve seen in past high-profile cases, data breaches caused by careless, malicious or compromised insiders are a very real threat. However, because the user has legitimate access to enterprise data, attacks from the inside can take a long time to detect,” Ray noted.
“To mitigate the risk, organizations should ask themselves where their sensitive data lies and invest in protecting it. Businesses can employ solutions based on machine learning technology to process and analyze vast amounts of data. This will help them pinpoint critical anomalies that indicate misuse of data, so they can quickly quarantine risky users to prevent any further issues,” Ray said.
According to a recent survey by the CyberEdge Group involving 1,200 IT security decision makers, close to 20 percent of ransomware victims paid the ransom but still didn’t get their data back. A majority didn’t pay the ransom but recovered their data, presumably through data backups, while 19 percent paid the ransom and recovered their data, and 8 percent did not pay the ransom and lost their data.
A dominant 91 percent of respondents to the CyberEdge survey said they had a least one cloud security concern. Around 44 percent were concerned about maintaining data privacy and confidentiality in the cloud, 40.5 percent were worried about controlling access to their data in the cloud, 36.7 percent were bothered by monitoring threats in the cloud, 30 percent were tense about assessing cloud risk, while 28 percent fretted about maintaining regulatory compliance in the cloud.
Around 80 percent of respondents said their organization was experiencing a shortage of skilled IT security personnel. Security staffing challenges were most acute for IT security administrator, followed by IT security analyst, IT security architect, application security tester, and IT security auditor.
Around 75 percent of respondents in the healthcare sector said they were affected by a cybersecurity skills shortage, compared to 87 percent in education, 85 percent in telecom and technology, and 81.5 percent in manufacturing.