Healthcare organizations average about one cyber attack per month and almost one out of two have experienced an incident involving the loss or exposure of patient information in the past 12 months. Yet despite these incidents, only half of healthcare organizations have an incident response plan in place, according to the results of Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 study.
For the study, Ponemon Institute and ESET, a security software vendor, surveyed 535 IT and IT security practitioners in small to medium-sized healthcare organizations in the U.S.
Based on the survey results, exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.
On average, healthcare organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. The primary consequence of APTs and zero-day attacks, according to 66 percent of respondents, were IT downtime, followed by the inability to provide services (46 percent), which create serious risks for patient treatment.
Distributed Denial of Service (DDoS) attacks have cost healthcare organizations, on average, $1.32 million in the past 12 months, and that cost includes lost productivity, reputation loss and brand damage. In addition, 37 percent of respondents report having experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months.
"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."
Stephen Cobb, senior security researcher at ESET, said the concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security.
“The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” he said.
Not surprisingly, the majority of respondents said the most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records.
The survey also found that healthcare organizations worry most about system failures, with 79 percent citing that one of the top three threats facing their organizations, followed by cyber attacks and unsecure medical devices.
When gauging healthcare leaders’ viewpoints on what poses the greatest risk to patient information, more respondents (52 percent) said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things (IoT) increase security vulnerabilities for patient information, compared to 46 percent citing employee negligence as a risk to patient information.
According to the Ponemon Institute, the survey results indicate that healthcare organizations need to increase technology investments to reduce the frequency of cyber attacks. On average, organizations represented in the research spend $23 million annually on IT, with 12 percent on average allocated to information security.