Cybersecurity Report: Stakes are High, but Healthcare Orgs Ill-Equipped | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Cybersecurity Report: Stakes are High, but Healthcare Orgs Ill-Equipped

March 12, 2018
by Rajiv Leventhal
| Reprints

About 62 percent of healthcare executives admitted to experiencing a cyber attack in the past year, with more than half losing patient data as a result, according to a new survey from Merlin International, a cybersecurity solutions provider for healthcare organizations, in partnership with the Ponemon Institute.

Recognizing that hospitals and payer organizations are facing constant, increasingly destructive cyber attacks, this survey of 627 healthcare organization executives looked to examine the myriad of cybersecurity-related challenges and how organizations are (or are not) addressing them.

Among healthcare providers surveyed, the majority set, manage and/or determine IT priorities, budgets and strategy while working at organizations counting between 100-500 patient beds (67 percent) and with an estimated 10,000 to 100,000 network connected devices (66 percent).

The survey data revealed that organizations are equally concerned with external attacks (63 percent) as they are with employee negligence or malicious insiders (64 percent). But what are the bad guys after? When asked, respondents highlighted the top five items: patient medical records (77 percent); patient billing information (56 percent); log-in credentials (54 percent); passwords and other authentication credentials to systems, servers or applications (49 percent); and clinical trial and other research information (45 percent).

What’s more, hackers, who are eager to cause chaos, steal or hold data for ransom subject healthcare organizations to all types of attacks. The exploitation of existing software vulnerabilities greater than three months old leads the way at 71 percent, followed closely by Web-borne malware attacks at 69 percent. While the report found many traditional attack types being used, the rise of ransomware—at 37 percent—"should raise alarm as this is a new and lucrative attack vector. Hackers are successfully earning significant income from holding systems and data hostage,” the researchers found.

Another concern is the security of medical devices. 65 percent surveyed responded “no” or “unsure” when asked whether the security of medical devices is part of their overall cybersecurity strategy. And though these devices appear to be a new and growing target for attackers, 31 percent have no plans to include them in the near future.

More than half (52 percent) of those surveyed agreed that a lack of employee awareness and training affects their ability to achieve a strong security posture. In addition, 74 percent cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture. According to responses, only 51 percent of organizations have a dedicated chief information security officer (CISO) and 60 percent surveyed don’t think they have the right cybersecurity qualifications in-house. What’s more, only half of the organizations (51 percent) have any type of incident response program at all.

“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time,” Merlin International’s Director of Healthcare Strategy, Brian Wells, said in a statement. “Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care.”

2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


Health System CISOs Form Group to Address Third-Party Risk

August 30, 2018
by David Raths, Contributing Editor
| Reprints
One goal: developing common vetting and oversight practices

Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain and to safeguard patient safety and information.

The founding members of the Provider Third Party Risk Management Council include:

• Allegheny Health Network

• Cleveland Clinic

• University of Rochester Medical Center


• Vanderbilt University Medical Center

• Wellforce/Tufts University

One goal of the new organization is developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.

In a prepared statement, Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children, described the challenge: “Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care. The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”

Supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources.

The council is working with the HITRUST Common Security Framework (CSF) and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months.



More From Healthcare Informatics


The Healthcare CISO: An Essential Cyber Guardian

August 24, 2018
by Nick Giannas, Industry Voice
| Reprints
Click To View Gallery

Business-driven information security executives at the C-suite level remain in high demand. This is particularly true in the healthcare industry as cybersecurity incidents increase and evolve. The notion of not if, but when an attack will occur remains cemented in the minds of healthcare leadership teams and boards. Market trends and forces, such as the shift to a ubiquitous digital environment and consolidation through mergers and acquisitions are fueling the increase in cybersecurity risk.

Three quarters of respondents to the most recent HIMSS cybersecurity survey said that their organizations had suffered a major security incident in the previous 12 months. Meanwhile, SecurityScorecard ranks healthcare 15th out of 18 industries in terms of cybersecurity preparedness.

With an undeniable and precarious cyber-threat landscape, the value of having a Chief Information Security Officer (CISO) continues to rise. With cyber-attacks threatening to disrupt care delivery and patient safety, increase breach costs, and damage brand reputation, the CISO role is a leadership imperative. Not only does a CISO drive an organization’s information security program but it is also critical in establishing a culture of cyber-safety and risk awareness that permeates the entire organization.

Recruiting Challenges

Provider organizations have made considerable progress in hiring CISOs over the past few years; however, some challenges still exist:


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Salaries are rising with demand, pricing some organizations out of the market for top-notch executives; according to a recent Information Systems Security Association (ISSA) study – "The Life and Times of Cybersecurity Professionals" – the number one factor most likely to cause a CISO to leave one organization for another is being offered a higher compensation package. It is safe to say that healthcare CISOs as a separate category would have similar statistics. 

Organizational budgets and commitments are still not where they should be, given the outsized risk that cybersecurity issues involve in healthcare; the same ISSA study suggests that another factor likely to cause a CISO to leave is that the budget for cybersecurity is not commensurate with the organization's size and industry.

Many healthcare organizations are still young in terms of their cybersecurity maturity. Responsibilities and reporting structures for CISOs vary from one organization to the next, making it difficult to recruit individuals with aligning skill sets and expectations.

Regarding the latter point, healthcare provider-based CISOs are primarily reporting up through IT and/or Corporate Compliance. Some CISOs are leading the Security Oversight function while others are responsible for all areas including security operations. Many organizations have elevated the CISO position to the Vice President level and are more open to recruiting candidates outside the industry, which has helped mitigate the high-demand, low-supply candidate pool dilemma.

What's Needed in Today's Healthcare CISO Candidates

As a result, identifying the ideal CISO is a necessity for healthcare organizations. The CISO must be an executive who can effectively lead the strategy and operations for the information security program of an enterprise.

The ideal background for a CISO in healthcare includes executive and board level presence with excellent communication and relationship-building skills. The ISSA study referenced above suggests that leadership skills (52 percent), communications skills (43 percent) and a strong relationship with business executives (35 percent) were the three most important qualities of a successful CISO. Other abilities that are essential for healthcare CISOs include:

  • Knowledge and experience in information security, risk management, and regulatory compliance;
  • Progressive experience in information security management, including planning and policy development and training/awareness;
  • Strong business acumen—the ability to enable the business while communicating risk;
  • Proven success as a strategic leader who is up-to-date on current and future trends including the utilization of security tools associated with artificial intelligence, machine learning and analytics;
  • Active engagement at the local and national level, sharing and learning intelligence and best practices in cybersecurity.

For many healthcare organizations, it is a matter of not if, but when they will begin ramping up their cybersecurity programs, technologies, and readiness. “The divide between the ‘real world’ and cyberspace is disappearing,” says Cleveland Clinic CISO Vugar Zeynalov. “Healthcare organizations are looking for cybersecurity professionals not to shield them from cyberspace, but to help them safely execute digital strategies.” The CISO has become a pivotal role from an operational and strategic standpoint.

Nicholas Giannas is a consultant in Witt/Kieffer’s Information Technology practice. Healthcare Informatics’ “Industry Voices” articles provide a platform for industry experts to weigh in on the latest healthcare IT trends and best practices. All Industry Voice submissions (submit here) are subject to editorial approval and cannot include explicit mentions of vendor products. More information on our submission guidelines can be found here.


Related Insights For: Cybersecurity


Phishing Attack at Georgia Health System May Have Exposed 400K Patients’ Data

August 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.

In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.

Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and PHI of approximately 417,000 individuals.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time, Keel wrote in his message.

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number, organization officials said.

Keel also wrote that IT staff reacted quickly to contain the July 11, 2018, attack. “The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway,” Keel wrote.

 In response to the incident, the organization has taken or will be promptly initiating several actions to protect against future incidents, Keel stated. Organization leadership created a new position of vice president for audit, compliance, ethics and risk management to bring “fresh leadership and direction to compliance functions.”

The organization also is implementing multifactor authentication for off-campus email and system access, reviewing and adopting solutions to limit email retention, and leadership is taking steps to implement a policy banning PHI in email communications.

In addition, Augusta University officials said the organization is employing software to screen emails for PHI or personally identifiable information (PII) to prevent them from sending, increasing employee training in preventing security breaches, and enhancing compliance-related policies and procedures.

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts.

See more on Cybersecurity