A recent survey of healthcare IT security leaders indicates that the healthcare industry’s level of readiness to defend against concerted cyber attacks has improved in the past two years, which shows progress toward strengthening healthcare organizations’ security postures. However, the bad news is, despite the rising threats, the number of healthcare organizations making investments in information security has actually declined since 2015.
KPMG, an audit, tax and advisory services firm, surveyed 100 CIOS, chief technology officers (CTOs), chief security officers (CSOs) and chief information security officers (CISOs) from both healthcare provider organizations and payers with over $500 million in annual revenue. The firm’s 2017 Cyber Healthcare and Life Sciences Survey found a dramatic rise in computer system breaches and data compromises, which include patient records, over the past two years. And, yet, more C-level IT security executives say they are better prepared than two years ago to protect their organizations against cyber attacks.
Almost half (47 percent) of organizations, including both providers and health plans, said their organizations had instances of security-related HIPAA (Health Insurance Portability and Accountability Act) violations or cyber attacks that resulted in data loss or system compromise in the past two years. That compares to 37 percent of respondents in KPMG’s 2015 survey, an increase of 10 percentage points.
When asked about “readiness to defend against a concerted cyber attack,” 35 percent of CIOs, CISOs, CTOs and CSOs at provider and payer organizations said they are “completely ready” versus 16 percent in 2015. In the survey, respondents were asked to rate their “readiness” at a level of 1 (not at all ready) to 5 (completely ready). Thirteen percent of respondents rated their organization at level 3 and 52 percent rated their organization at level 4. None of the organizations rated themselves as level 1 or 2.
Despite the rising threats, KPMG’s survey found that cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior 12 months (66 percent versus 88 percent in the 2015 survey).
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” KPMG’s healthcare advisory leader Dion Sheidy said in a statement. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”
In an interview about the survey findings, Michael Ebert, leader of KPMG’s cyber security group in healthcare and life sciences, says he is concerned that there is a level of complacency in the healthcare industry regarding cyber risks. “I think the industry has become a bit numb to the fact, that, well, we’re going to have cyber instances and we see it in the news all the time when there is another breach. And, you always see that company in business the next day, so there is complacency building. It’s fallen off the board agenda a little, which is a shame, because we continue to see high rates of infection. There are organizations in the healthcare industry taking this issue very seriously, but to have that broad response reflected in the survey, it’s concerning.”
Regarding recent ransomware and malware cyber attacks, such as WannaCry and Petya, he adds, ‘The last major attack, the hackers did certain modifications and, more importantly, they made it so that it would spready much more rapidly. They are testing our cyber defense capabilities. And, we’ve seen it rip right through institutions. Once it gets in, it just rapidly goes through, and to slow that down or stop it, you’ve got to pull plugs. We’re at war, it’s just a different type of war that’s going to cost the capital economy billions of dollars a year.”
According to the survey, data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63 percent of respondents mentioning it, topping Internet-enabled devices not fully controlled by IT and the lack of resources/budget. Yet sharing data is an important element of coordinating care and succeeding in a healthcare reimbursement environment that is moving away from paying for activity (fee-for-service) and toward outcomes.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.