Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare Organizations Need to Refine Cybersecurity Strategies, Develop Incident Response Plans, Study Finds

March 1, 2016
by Heather Landi
| Reprints
Click To View Gallery

Healthcare organizations average about one cyber attack per month and almost one out of two have experienced an incident involving the loss or exposure of patient information in the past 12 months. Yet despite these incidents, only half of healthcare organizations have an incident response plan in place, according to the results of Ponemon Institute’s The State of Cybersecurity in Healthcare Organizations in 2016 study.

For the study, Ponemon Institute and ESET, a security software vendor, surveyed 535 IT and IT security practitioners in small to medium-sized healthcare organizations in the U.S.

Based on the survey results, exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

On average, healthcare organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. The primary consequence of APTs and zero-day attacks, according to 66 percent of respondents, were IT downtime, followed by the inability to provide services (46 percent), which create serious risks for patient treatment.

Distributed Denial of Service (DDoS) attacks have cost healthcare organizations, on average, $1.32 million in the past 12 months, and that cost includes lost productivity, reputation loss and brand damage. In addition, 37 percent of respondents report having experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement "As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."

Stephen Cobb, senior security researcher at ESET, said the concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security.

“The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” he said.

Not surprisingly, the majority of respondents said the most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records.

 The survey also found that healthcare organizations worry most about system failures, with 79 percent citing that one of the top three threats facing their organizations, followed by cyber attacks and unsecure medical devices.

When gauging healthcare leaders’ viewpoints on what poses the greatest risk to patient information, more respondents (52 percent) said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things (IoT) increase security vulnerabilities for patient information, compared to 46 percent citing employee negligence as a risk to patient information.

According to the Ponemon Institute, the survey results indicate that healthcare organizations need to increase technology investments to reduce the frequency of cyber attacks. On average, organizations represented in the research spend $23 million annually on IT, with 12 percent on average allocated to information security.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.