Survey: 75 Percent of Healthcare Orgs Saw a Significant Security Incident Last Year | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: 75 Percent of Healthcare Orgs Saw a Significant Security Incident Last Year

March 13, 2018
by Heather Landi
| Reprints
Click To View Gallery

A recent cybersecurity survey conducted by the Health Information and Management Systems Society (HIMSS) found that 75 percent of healthcare organizations experienced a significant security incident in the past 12 months. And, while more organizations view cybersecurity as a business priority, most healthcare organizations’ cybersecurity programs have room for improvement.

The 2018 HIMSS Cybersecurity Survey, based on the feedback from 239 health information security professionals, provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector.

“Significant security incidents at healthcare organizations have not slowed down by any means. If anything, it is projected that significant security incidents will continue to grow in number, complexity, and impact,” the report stated.

The survey found that 75.7 percent of healthcare organizations experienced a significant security incident in the past 12 months. While 21 percent said they did not have a recent significant security incident in the past year, 3 percent said they did not know.

What’s more, almost all respondents (96 percent) who said their organizations had experience a significant threat were able to characterize the threat actor. The top threat actor was the online scam artist involved in activities such as phishing and spear phishing (30 percent). Sixteen percent of respondents said negligent insiders were responsible for the most significant security incident, and another 16 percent identified hackers as the top threat actor.

Malicious insiders (4 percent), social engineers (3.7 percent, hacktivists (3 percent), and nation state actors (2 percent) also were identified as threat actors.

The majority of respondents (61.4 percent) indicated that the initial point of compromise was via e-mail (e.g., phishing e-mail). Yet others indicated that the initial point of compromise was in the “other” category (12.7 percent). For the “other” category, the initial point of compromise ranged from web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error.

A minority of respondents (about 3 percent or less) indicated that the initial point of compromise was by way of a compromised organizational website (3.2 percent), hardware or software infected with malware “off the shelf” (3.2 percent), infected or compromised mobile device or medical device (each 2.1 percent), third party websites (1.6 percent), or a compromised cloud provider/service (1.6 percent).

 When looking at time to discovery of a security incident, the majority of respondents (47 percent) said it took less than 24 hours for their organization to discover the attack; 13 percent said it took one to two days and 7 percent said it took three to seven days.

The HIMSS Cybersecurity report findings also yielded a few notable themes. Healthcare organizations with cybersecurity programs are making positive efforts towards improvement. More resources are dedicated to cybersecurity programs, the report stated. The vast majority of respondents (84.3 percent) indicated that their organizations’ use of resources to address cybersecurity concerns has increased. Yet others indicated that there has not been a change in resources since last year (11 percent). Still others indicated that their organizations’ use of resources has decreased (3.3 percent).

In the 2015 and 2016 HIMSS Cybersecurity Surveys, the majority of respondents indicated that cybersecurity was a business priority for their respective organizations. In the 2017 survey, 60 percent of respondents indicated that their organization employs a senior information security leader.

More than half of respondents (55 percent) said their organizations have a dedicated or defined amount of the current IT budget allocated for cybersecurity. However, a fair amount of respondents (26.5 percent) have no specific carve out of cybersecurity within the IT budget (but, money is spent on cybersecurity).

According to the survey report, another finding is that proactive measures are being taken as a result of regular risk assessments. Penetration testing and security awareness training are regularly conducted, the report stated. A little less than half of respondents (45 percent) said risk assessments are conducted once a year.

One positive trend is that 70 percent of respondents said cybersecurity assessments were conducted as part of their organization’s due diligence analysis when acquiring a product or service for their organizations. While this is a positive trend, 26 percent of respondents said their organizations don’t do these kinds of cybersecurity assessments as part of due diligence.

According to the survey, most healthcare organizations’ cybersecurity programs have room for improvement.” Significant barriers exist for remediating and mitigating security incident, namely, personnel and financial resources. Some organizations do not yet have formal insider threat management programs. Risk assessments widely vary from organization to organization,” the report states. Almost 20 percent of respondents (16.9 percent) said no security framework, such as NIST or HITRUST, had been implemented at their respective organizations at all.

Looking to the future, healthcare organizations have certain concerns and priorities which will shape the direction of healthcare cybersecurity. “Healthcare cybersecurity is advancing with some noted improvements. However, there is always room for growth. But, cybersecurity programs cannot advance alone. Indeed, barriers such as lack of cybersecurity personnel and financial resources still persist. Accordingly, healthcare organizations (and their leaders) need to take proactive steps by instilling positive change and making cybersecurity a genuine priority. It is only then that we can move forward instead of taking one step forward and two steps back,” the report stated.


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics


Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity


Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity