Healthcare organizations are in the crosshairs of cyber attackers at the rate of one cyber attack per month. This is the key finding of a recent Ponemon study, The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations are experiencing an average of 11.4 cyber attacks per year. Further, almost half of the respondents (48 percent) said their organizations have experienced an incident involving the loss or exposure of patient information in the past 12 months.

The increasing frequency of attacks means that many patients are at risk for medical identity theft, and organizations are at risk of both incurring higher data protection penalties and a damaged public image. Yet, when it comes to preparing for a data breach, one of the most egregious forms of cyber attack from a regulatory perspective, only 50 percent report having an incident response plan in place.

“With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies,” stated Ponemon. “Moreover, healthcare organizations have a special duty to secure data and systems against cyber hacks. The misuse of patient information and system downtime cannot only put sensitive and confidential information at risk, but the lives of patients as well.”

Top Security Threats Facing Healthcare

When asked about the top security threats in their healthcare organizations, respondents cited the following:

  • System failures (79%)
  • Unsecured medical devices (77%)
  • Cyber attacks (77%)
  • Employee-owned mobile devices (76%)
  • Identity thieves (73%)
  • Unsecured mobile devices (72%)

The data that hackers are most interested in stealing include:

  • Patients’ medical records (81%)
  • Patient billing information (64%)
  • Clinical trial and other research information (50%)
  • Employee information such as payroll data (45%)
  • Accounting and financial data (39%)

Sixty-three percent of respondents say the primary consequences of attacks were IT downtime, followed by the inability to provide services (46 percent), which created serious risks in patient care. Forty-four percent said these incidents resulted in the theft of personal information.

Healthcare Entities Report Low Cybersecurity Effectiveness

Overall, respondents are pessimistic about their ability to mitigate risks, vulnerabilities and attacks across their organizations. Only 26 percent said they currently have systems and controls in place to detect and stop advanced persistent threats (APTs). And just 33 percent rate their organizations’ cybersecurity posture as very effective.

When asked about their effectiveness in preventing attacks, 49 percent said their organizations experienced incidents when cyber attackers evaded their intrusion prevention systems (IPS). Another 37 percent said their organization experienced attacks that evaded their anti-virus solutions or traditional security controls.

The primary challenges to becoming more effective at cybersecurity include:

  • Lack of collaboration with other functions (76%)
  • Insufficient staffing (73%)
  • Not enough money (65%)
  • Not making cybersecurity a priority (65%)

Healthcare organizations said the factors increasing the vulnerability and threat to patient data include:

  • Legacy systems (52%)
  • New technologies and trends like cloud, mobile and Internet of Things (52%)
  • Employee negligence (46%)
  • Ineffectiveness of business associate agreements around PII (45%)

One of the most powerful ways to combat cybersecurity challenges is by conducting a bona fide risk analysis. Risk analysis is a systematic, rigorous process used to identify all of the possible ways in which the confidentiality, integrity or availability of any sensitive information, like patient’s personal data, may be compromised. The main deliverable from a risk analysis is a risk register or risk rating report that prioritizes potential security issues. This service helps organizations prevent costly complaints, fines and reputational damage caused by security breaches.

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.