HIMSS has published the results of its annual cybersecurity survey. The aim of the survey is to identify common security problems and cybersecurity practices at healthcare companies.
The 2019 HIMSS Cybersecurity Survey was conducted on 166 health information security professionals between November and December 2018.
The 2019 survey showed security breaches are pervasive in healthcare. Roughly three quarters (74%) of healthcare organizations experienced a security breach in the past year. Only 22% said they did not suffer a significant security breach in the past 12 months. The figures are similar to the 2018 HIMSS Cybersecurity Survey, which showed 21% of participants said they did not suffer a significant security event in the previous 12 months.
The 2018 survey indicates 82% of hospital systems had a significant security event and approximately two thirds of non-acute care providers and vendor companies had also suffered a breach.
When asked about the threat actors behind the breaches, 28% of breaches were attributed to online scam artists. The tactics used by online scam artists to access healthcare systems and data include whaling, phishing, spear phishing and impersonation attacks such as business email compromise (BEC) scams. The attacks are performed to obtain sensitive data, gain access to healthcare networks, and convince healthcare employees to make fraudulent wire transfers. 20% of breaches were attributed to negligence by employees.
Examples of human error include the exposure of patient information by posting it on public websites, unintentional data leaks, and simple errors. These mistakes are use to lapses in security practices.
External threat actors utilize different strategies to access healthcare systems and patient information, although a large proportion of security breaches last year involved email. 59% of survey participants said that the main source of compromise was email. 25% said human error was a main cause of breaches.
Although email is a frequently used attack vector, 18% of healthcare organizations are not testing their defenses through simulated phishing attacks. Phishing simulations help to reinforce training and can identify weak links – Employees that have not fully taken their training on board.
HIMSS recommends that all employees should be provided additional security awareness training, not only for those engaged in security operations and administration. Members of security teams must also get additional training on current and new threats to have to mitigate those security threats.
Phishing is a major security concern, but so too is the continued use of out of date and unsupported software. legacy software such as Windows Server and Windows XP are still widely used in healthcare. 69% of survey respondents admitted that they used some form of legacy software. 48% still use Windows Server and 35% still use Windows XP.
Although 96% of companies perform risk assessments, just 37% perform comprehensive risk assessments; 42% of respondents do not assess risks associated with their websites, 50% do not assess risks related to third party entities, and 53% do not assess medical devices risks.
A positive note, 72% of survey respondents stated that their cybersecurity budget increased by 5% or more or stayed the same.