Skip to content Skip to navigation

Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds

March 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

Healthcare organizations average about one cyber attack per month and almost one out of two have experienced an incident involving the loss or exposure of patient information in the past 12 months. Yet despite these incidents, only half of healthcare organizations have an incident response plan in place, according to the results of Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 study.

For the study, Ponemon Institute and ESET, a security software vendor, surveyed 535 IT and IT security practitioners in small to medium-sized healthcare organizations in the U.S.

Based on the survey results, exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

On average, healthcare organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. The primary consequence of APTs and zero-day attacks, according to 66 percent of respondents, were IT downtime, followed by the inability to provide services (46 percent), which create serious risks for patient treatment.

Distributed Denial of Service (DDoS) attacks have cost healthcare organizations, on average, $1.32 million in the past 12 months, and that cost includes lost productivity, reputation loss and brand damage. In addition, 37 percent of respondents report having experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."

Stephen Cobb, senior security researcher at ESET, said the concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security.

“The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” he said.

Not surprisingly, the majority of respondents said the most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records.

 The survey also found that healthcare organizations worry most about system failures, with 79 percent citing that one of the top three threats facing their organizations, followed by cyber attacks and unsecure medical devices.

When gauging healthcare leaders’ viewpoints on what poses the greatest risk to patient information, more respondents (52 percent) said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things (IoT) increase security vulnerabilities for patient information, compared to 46 percent citing employee negligence as a risk to patient information.

According to the Ponemon Institute, the survey results indicate that healthcare organizations need to increase technology investments to reduce the frequency of cyber attacks. On average, organizations represented in the research spend $23 million annually on IT, with 12 percent on average allocated to information security.



Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough

More than half (56 percent) of healthcare professionals believe their organization could be doing more to educate employees on HIPAA compliance and the rules around sharing protected health information.

Mount Sinai’s Research Arm Using Data Analytics to Address Health Inequities

The Arnhold Institute for Global Health at the Icahn School of Medicine at Mount Sinai is partnering with DigitalGlobe to create the Health Equity Atlas Initiative (ATLAS), a platform that standardizes and maps population data in order to generate insights that address health inequities.

FDA, Hospitals Work to Improve Data Collection about Medical Devices

The U.S. Food and Drug Administration is looking to improve the way it works with hospitals to modernize and streamline data collection, specifically safety data, about medical devices.

McKesson Unveils New Paragon Electronic Health Record Platform

McKesson Enterprise Information Solutions (EIS) announced the latest release of Paragon, its electronic health record (EHR) solution.

Catholic Health Initiatives and Dignity Health are in Merger Talks

Englewood, Colorado-based health system Catholic Health Initiatives is in merger talks with San Francisco-based Dignity Health to potentially create one of the largest nonprofit health systems by revenue in the country.

OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.