Recently, the Ponemon Institute conducted an extensive research study into the state of cybersecurity among healthcare professionals. The results were dismal. On average, healthcare organizations included in the study have suffered from at least one cyberattack per month over the last 12 months. In addition, nearly half of all of the study’s respondents have experienced a cyber attack that caused them to either lose or expose patient data.
The data that is lost or exposed to cybercriminals can include patients’ names, social security numbers, addresses, insurance information, as well as their personal medical history. This data is sold on the deep web, the internet’s black market, where buyers can then use the information to impersonate a victim and receive free medical care.
It is the responsibility of the healthcare organization to protect and secure their patients’ personal data and as this study shows, they aren’t doing a great job at it. Here are some key findings from the study:
One in four health IT professionals don’t understand the cyber attacks that are hitting them or what they are doing to defend themselves against such attacks. Much of the time, the study’s respondents simply did not know the answers to the questions asked. 25% of those surveyed didn’t know how many cyberattacks their organization suffered from in the past year, whether or not they have lost or exposed patient data, how cyber criminals and other types of attacks invaded their network, or if they are prepared to stop advanced persistent threats. When IT staff has no understanding of the threats facing their organization, they have no ability to prevent attacks. In fact, 39% of health IT pros said that they had “no understanding of how to protect against cyberattacks.”
50% of healthcare organizations have no incident response plan. This indicates that the healthcare organizations don’t have policies or procedures in place in regards to their technology. This shows that employees, the weakest link in the cybersecurity chain, are not being educated on what they can and can’t do with company technology. There needs to be a written incident response plan so employees know how to react when (not if) a cyber attack occurs. We recommend having a professional write an Information Security Policy.
The most common attacks occur through exploits of software vulnerabilities and through malware. The types of attacks are important because they indicate where IT pros need to focus their attention. Other common security incidents include spear phishing, lost or stolen devices, SQL injection, and spyware, among others.
DDoS attacks cost each organization $1.32 million per year on average. DDoS stands for Distributed Denial of Service and occurs when multiple systems are compromised with a Trojan virus and then the systems are used to target one system in particular. DDoS attacks can take a whole system offline, causing massive amounts of downtime. 37% of survey respondents said that they experienced DDoS attacks once every four months, on average. The largest costs associated with these attacks are from downtime and from damaged reputations.
The primary challenge in creating a more secure environment is a “lack of collaboration” with other functions. This indicates that security methods that healthcare organizations need to employ are not easily used with day to day operations. Other challenges include low IT budgets and lack of staff.
The top threats that most organizations worry about are system failures, unsecure medical devices, cyberattacks, and employee owned mobile devices, in that order. This shows that organizations are more concerned about technology risks than employee negligence. In fact, employee negligence is their lowest concern. While their concerns are legitimate and may accurately reflect their organization, they do not reflect the cybersecurity landscape as a whole. Employee error actually causes 30% of data breaches, making it the number one cause. This shows a disconnect between health IT pros’ knowledge and actual cybersecurity data.
The technology solutions that are the most effective defense are identity management, authentication, and encryption. The one bright spot on the horizon is that 51% of healthcare organizations are measuring the effectiveness of their security efforts. Both identity management and authentication seem to help as well as encryption for data that is being stored and transmitted. Other effective IT solutions are antivirus software, intrusion detection, firewalls, and use of Virtual Private Networks.