Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds

March 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

Healthcare organizations average about one cyber attack per month and almost one out of two have experienced an incident involving the loss or exposure of patient information in the past 12 months. Yet despite these incidents, only half of healthcare organizations have an incident response plan in place, according to the results of Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 study.

For the study, Ponemon Institute and ESET, a security software vendor, surveyed 535 IT and IT security practitioners in small to medium-sized healthcare organizations in the U.S.

Based on the survey results, exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

On average, healthcare organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. The primary consequence of APTs and zero-day attacks, according to 66 percent of respondents, were IT downtime, followed by the inability to provide services (46 percent), which create serious risks for patient treatment.

Distributed Denial of Service (DDoS) attacks have cost healthcare organizations, on average, $1.32 million in the past 12 months, and that cost includes lost productivity, reputation loss and brand damage. In addition, 37 percent of respondents report having experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."

Stephen Cobb, senior security researcher at ESET, said the concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security.

“The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” he said.

Not surprisingly, the majority of respondents said the most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records.

 The survey also found that healthcare organizations worry most about system failures, with 79 percent citing that one of the top three threats facing their organizations, followed by cyber attacks and unsecure medical devices.

When gauging healthcare leaders’ viewpoints on what poses the greatest risk to patient information, more respondents (52 percent) said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things (IoT) increase security vulnerabilities for patient information, compared to 46 percent citing employee negligence as a risk to patient information.

According to the Ponemon Institute, the survey results indicate that healthcare organizations need to increase technology investments to reduce the frequency of cyber attacks. On average, organizations represented in the research spend $23 million annually on IT, with 12 percent on average allocated to information security.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.