Each year, HIMSS, the powerhouse in healthcare information systems, conducts a survey specifically around cybersecurity in healthcare organizations across the country. This year, the cybersecurity survey results are based on responses from 166 provider organizations.
The survey analysis document is 24-pages. In the interest of your time, we pulled what we felt are the top 10 most interesting survey findings. You’ll also find the survey’s Executive Summary, pulled straight from the source at the end of our top 10 list.
- 82 percent of hospital-respondents surveyed said they had experienced a significant security incident in the last 12 months.
- 56 percent of respondents noted “bad actors” were the sources responsible for their security incidents. This was classified as phishing, spear phishing, whaling, business email compromise, hackers, social engineers, etc.
- 31 percent of security incidents were attributed to negligent insiders – well-meaning but negligent individuals with trusted access who may facilitate or cause a data breach or other cyber incident.
- Email was cited as the most common initial point of compromise for significant security incidents (59 percent).
- 38 percent of respondents indicated their cybersecurity budgets increased by 5 percent or more.
- Security Risk Analyses are being conducted at nearly every healthcare organization, but follow through and remediation actions leave something to be desired.
- Only 46 percent of organizations conducted a penetration test after their Security Risk Analysis.
- The idea of “too many emerging and new threats” is the greatest identified barrier for remediation and mitigation of security incidents.
- 70 percent of hospitals have an identifiable “click rate” on phishing tests. 45 percent of these organizations have a click rate of less than 10 percent on their phishing tests.
- The top three sources cited where respondents get their Cyber Threat Intelligence are peers / word of mouth (68%), US CERT alerts and bulletins (60%), and HIMSS sources (53%).
EXECUTIVE SUMMARY FROM HIMSS (directly from the report)
The 2019 HIMSS Cybersecurity Survey provides insight into the information security experiences and practices of US healthcare organizations in light of increasing cyber-attacks and compromises. Reflecting the feedback from 166 US based health information security professionals, the findings of this study distill as follows:
- A pattern of cybersecurity threats and experiences is discernable across US healthcare organizations
- Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.
- Many positive advances are occurring in healthcare cybersecurity practices
- Healthcare organizations appear to be allocating more of their information technology (“IT”) budgets to cybersecurity.
- Complacency with cybersecurity practices can put cybersecurity programs at risk
- There are certain responses that are not necessarily “bad” cybersecurity practices, but may be an “early warning signal” about potential complacency seeping into the organization’s information security practices.
- Notable cybersecurity gaps exist in key areas of the healthcare ecosystem
- The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.
Cybersecurity awareness has come a long way even in the last year. Organizations are better understanding the implications of security risks and are better equipping themselves and their staff to be prepared for relevant threats.
Though organizations are more prepared, hackers are getting more sophisticated with their attacks. Security Risk Analysis can help your organization stay on the leading edge of protecting your data, users, and patients.