Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds

March 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

Healthcare organizations average about one cyber attack per month and almost one out of two have experienced an incident involving the loss or exposure of patient information in the past 12 months. Yet despite these incidents, only half of healthcare organizations have an incident response plan in place, according to the results of Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 study.

For the study, Ponemon Institute and ESET, a security software vendor, surveyed 535 IT and IT security practitioners in small to medium-sized healthcare organizations in the U.S.

Based on the survey results, exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

On average, healthcare organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. The primary consequence of APTs and zero-day attacks, according to 66 percent of respondents, were IT downtime, followed by the inability to provide services (46 percent), which create serious risks for patient treatment.

Distributed Denial of Service (DDoS) attacks have cost healthcare organizations, on average, $1.32 million in the past 12 months, and that cost includes lost productivity, reputation loss and brand damage. In addition, 37 percent of respondents report having experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."

Stephen Cobb, senior security researcher at ESET, said the concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security.

“The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” he said.

Not surprisingly, the majority of respondents said the most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records.

 The survey also found that healthcare organizations worry most about system failures, with 79 percent citing that one of the top three threats facing their organizations, followed by cyber attacks and unsecure medical devices.

When gauging healthcare leaders’ viewpoints on what poses the greatest risk to patient information, more respondents (52 percent) said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things (IoT) increase security vulnerabilities for patient information, compared to 46 percent citing employee negligence as a risk to patient information.

According to the Ponemon Institute, the survey results indicate that healthcare organizations need to increase technology investments to reduce the frequency of cyber attacks. On average, organizations represented in the research spend $23 million annually on IT, with 12 percent on average allocated to information security.

Get the latest information on Finance and Revenues and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.