The Ponemon Institute, which conducts research on privacy, data protection, and information security, has released the results of a survey of data breaches in healthcare organisations. The survey shows that 62% of healthcare organisations have experienced a data breach in the past 12 months. It was revealed that the majority of those organisations experienced data loss as a result of a breach.
The survey was sponsored by Merlin International, a cybersecurity company. Nearly 630 healthcare industry leaders from hospitals and payer organisations took part in the study. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices.
It is estimated that over 5 million healthcare records were exposed or stolen in 2017. When it came to cybercrime, the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches. Many experts agree that cyberattacks are likely to increase in years to come, putting more and more PHI at risk.
Although the threat of a cyberattack is high, around 51% of surveyed organisations have yet to implement an incident response program. This could severely hinder the recovery of an organisation if they were to be attacked. This lack of preparation may be due to the cost of implementing high-end security systems, the complexity of maintaining these systems, or the extra training required for already busy staff to use them.
As the Cost of a Data Breach Study by the Ponemon Institute showed, a fast response to a data breach can limit the harm caused to breach victims and reduce the cost of mitigating such an attack. Respondents reported that the cost of mitigating an attack and dealing with the fallout from a network compromise was approximately $4 million.
The survey sought to assess the healthcare industry’s awareness of the dangers of cybercrime. When asked about the biggest threats to their organisation and the types of attack that caused the most concern, both internal and external threats rated as a top concern by 64% and 63% of respondents respectively. The main perceived targets for hackers were electronic medical records (77%), patient billing information (56%), login credentials (54%), other authentication credentials (49%), and research information (45%).
The methods used to gain access to networks and data were highly varied across the organisations surveyed. The main method of attack was the exploitation of software and operating system vulnerabilities and the use of malware. 71% of respondents said vulnerabilities were exploited while 69% said attacks involved the use of malware. A further 37% of organisations had experienced ransomware attacks, in which access to the user’s system is blocked until a ransom is paid.
As medical technologies become more advanced, security of medical devices should be a major concern for healthcare organisations. However, nearly 65% of respondents said medical devices were not included in their overall cybersecurity strategy or they didn’t know if they were. Around 31% of respondents said they did not have any plans to include medical devices in their cybersecurity strategies in the near future, despite the threat they pose to the integrity of PHI.
The HHS’ Office for Civil Rights has raised awareness of the need to provide ongoing security awareness training to staff. Many cybersecurity experts have released data to show how security awareness training and phishing simulations can greatly reduce susceptibility to phishing attacks. Despite this push from awareness, healthcare organisations seem to be ignoring the advice of professionals and not providing adequate training for their staff. Many organisations are still only providing security awareness training to employees annually, despite the nature of threats changing on a much more frequent basis. It is therefore unsurprising that 52% of respondents said a lack of employee security awareness was hampering their ability to improve their security posture.
Of those surveyed, 74% believed the biggest obstacle preventing them from improving security was staffing issues and 60% said they do not have staff with the right cybersecurity qualifications in-house. Nearly 51% of respondents said that have not yet appointed a Chief Information Security Officer (CISO), which would greatly expedite the process of ensuring that the integrity of PHI is maintained.