Survey: 75 Percent of Healthcare Orgs Saw a Significant Security Incident Last Year | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: 75 Percent of Healthcare Orgs Saw a Significant Security Incident Last Year

March 13, 2018
by Heather Landi
| Reprints
Click To View Gallery

A recent cybersecurity survey conducted by the Health Information and Management Systems Society (HIMSS) found that 75 percent of healthcare organizations experienced a significant security incident in the past 12 months. And, while more organizations view cybersecurity as a business priority, most healthcare organizations’ cybersecurity programs have room for improvement.

The 2018 HIMSS Cybersecurity Survey, based on the feedback from 239 health information security professionals, provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector.

“Significant security incidents at healthcare organizations have not slowed down by any means. If anything, it is projected that significant security incidents will continue to grow in number, complexity, and impact,” the report stated.

The survey found that 75.7 percent of healthcare organizations experienced a significant security incident in the past 12 months. While 21 percent said they did not have a recent significant security incident in the past year, 3 percent said they did not know.

What’s more, almost all respondents (96 percent) who said their organizations had experience a significant threat were able to characterize the threat actor. The top threat actor was the online scam artist involved in activities such as phishing and spear phishing (30 percent). Sixteen percent of respondents said negligent insiders were responsible for the most significant security incident, and another 16 percent identified hackers as the top threat actor.

Malicious insiders (4 percent), social engineers (3.7 percent, hacktivists (3 percent), and nation state actors (2 percent) also were identified as threat actors.

The majority of respondents (61.4 percent) indicated that the initial point of compromise was via e-mail (e.g., phishing e-mail). Yet others indicated that the initial point of compromise was in the “other” category (12.7 percent). For the “other” category, the initial point of compromise ranged from web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error.

A minority of respondents (about 3 percent or less) indicated that the initial point of compromise was by way of a compromised organizational website (3.2 percent), hardware or software infected with malware “off the shelf” (3.2 percent), infected or compromised mobile device or medical device (each 2.1 percent), third party websites (1.6 percent), or a compromised cloud provider/service (1.6 percent).

 When looking at time to discovery of a security incident, the majority of respondents (47 percent) said it took less than 24 hours for their organization to discover the attack; 13 percent said it took one to two days and 7 percent said it took three to seven days.

The HIMSS Cybersecurity report findings also yielded a few notable themes. Healthcare organizations with cybersecurity programs are making positive efforts towards improvement. More resources are dedicated to cybersecurity programs, the report stated. The vast majority of respondents (84.3 percent) indicated that their organizations’ use of resources to address cybersecurity concerns has increased. Yet others indicated that there has not been a change in resources since last year (11 percent). Still others indicated that their organizations’ use of resources has decreased (3.3 percent).

In the 2015 and 2016 HIMSS Cybersecurity Surveys, the majority of respondents indicated that cybersecurity was a business priority for their respective organizations. In the 2017 survey, 60 percent of respondents indicated that their organization employs a senior information security leader.

More than half of respondents (55 percent) said their organizations have a dedicated or defined amount of the current IT budget allocated for cybersecurity. However, a fair amount of respondents (26.5 percent) have no specific carve out of cybersecurity within the IT budget (but, money is spent on cybersecurity).

According to the survey report, another finding is that proactive measures are being taken as a result of regular risk assessments. Penetration testing and security awareness training are regularly conducted, the report stated. A little less than half of respondents (45 percent) said risk assessments are conducted once a year.

One positive trend is that 70 percent of respondents said cybersecurity assessments were conducted as part of their organization’s due diligence analysis when acquiring a product or service for their organizations. While this is a positive trend, 26 percent of respondents said their organizations don’t do these kinds of cybersecurity assessments as part of due diligence.

According to the survey, most healthcare organizations’ cybersecurity programs have room for improvement.” Significant barriers exist for remediating and mitigating security incident, namely, personnel and financial resources. Some organizations do not yet have formal insider threat management programs. Risk assessments widely vary from organization to organization,” the report states. Almost 20 percent of respondents (16.9 percent) said no security framework, such as NIST or HITRUST, had been implemented at their respective organizations at all.

Looking to the future, healthcare organizations have certain concerns and priorities which will shape the direction of healthcare cybersecurity. “Healthcare cybersecurity is advancing with some noted improvements. However, there is always room for growth. But, cybersecurity programs cannot advance alone. Indeed, barriers such as lack of cybersecurity personnel and financial resources still persist. Accordingly, healthcare organizations (and their leaders) need to take proactive steps by instilling positive change and making cybersecurity a genuine priority. It is only then that we can move forward instead of taking one step forward and two steps back,” the report stated.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.

Epic Wins Labor Dispute in Closely Divided Supreme Court Decision

Epic Systems Corporation won a major labor-law ruling in the Supreme Court on Monday, centering around the extent of corporations’ right to force employees to sign arbitration agreements, and with a 5-4 ruling in its favor

Survey: Two-Thirds of Physician Practices Seeking Out Value-Based Care Consulting Firms

Most physician organizations are not prepared for the move to value-based care, and 95 percent CIOs of group practices and large clinics state they do not have the information technology or staff in-house needed to transform value-based care end-to-end, according to a recent Black Book Market Research.

Cumberland Consulting Buys LinkEHR, Provider of Epic Help Desk Services

Cumberland Consulting Group, a healthcare consulting and services firm, has acquired LinkEHR, which provides remote application support, including Epic help desk services.

Population Health Tool that Provides City-Level Data Expands to 500 Cities

A data visualization tool that helps city officials understand the health status of their population, called the City Health Dashboard, has now expanded to 500 of the largest cities in the U.S., enabling local leaders to identify and take action around the most pressing health needs in their cities and communities.