February 20, 2019

Though healthcare organizations appear to be devoting a greater proportion of financial resources to securing their information systems from unwanted intrusion, significant cybersecurity gaps persist in important areas, according to the Health Information Management Systems Society’s 2019 (HIMSS) Cybersecurity Survey.

Healthcare cybersecurity practices are “moving in the right direction with some degree of uniformity,” according to the survey report, released during HIMSS 2019 in Orlando. Still, despite the progress, “budgets allocated to cybersecurity are still quite small and the lack of knowledgeable cybersecurity personnel also continues to hinder progress.”

The survey, which reflects responses from 166 information security leaders for hospitals, vendors and other healthcare organizations, was conducted in November and December of 2018.

The survey found a pattern of discernable cybersecurity threats across healthcare organizations, with significant security threats remaining a near universal experience among organizations. Many of the incidents are initiated by bad actors who frequently use email as their weapon of attack.

Only 22 percent of respondents indicated that they did not experience a significant security incident in the previous 12 months.  Nearly half of respondents cited two types of actors: online scam artists (28 percent) and negligent insiders (20 percent) as the source of security incidents.

The significant percentage of incidents due to negligence around security practices and protocols points to the importance of ongoing education for all stakeholders on information security best practices, the survey report said.

While phishing email remains the most common method of compromise in significant security incidents (59 percent), advances in cybersecurity techniques may encourage bad actors to look for other points of vulnerability, which means that healthcare organizations should keep close watch on these other areas of potential compromise.

Other key potential points of compromise for hospitals include human error (30 percent), e.g., accidentally posting patient information to a public website; compromise of vendor credentials (20 percent),  compromise of mobile devices through malware infection (11 percent); and compromise of medical devices (10 percent).

Most security incidents are identified by people within the organization, notably, the internal security team (46 percent) and other employees (37 percent), indicating that organizations should focus resources and training on internal lines of defense against security incidents. “Additionally, those involved in day-to-day information security operations and management should receive additional education and training to understand the latest threats and how to prevent and/or mitigate them,” including giving security professionals time off and reimbursement for training, the report stated.

The survey revealed improvements in cybersecurity practices within the sector, including the finding that 59 percent of respondents feel empowered by their organizations to drive positive change, and 55 percent reporting budget allocations specifically for cybersecurity purposes.  Though obtaining funds for cybersecurity remains a complex task, “healthcare organizations, in general, appear to be responding to this challenge by dedicating more financial resources toward their cybersecurity programs,” and the amounts allocated within IT budgets for this activity are on the rise, according to the survey.

Despite these improvements, complacency around cybersecurity remains an ongoing concern.  When asked to rate the level of challenge posed by a list of 10 factors related to remediating and mitigating security incidents, the most challenging factor, “too many emerging and new threats,” earned a score indicating that it was only “somewhat of a challenge” to participants.

While HIMSS finds the result encouraging in the sense that it indicates respondents feel confident in their ability to address security incidents, the “lack of passion” (i.e., moderate rating of 3.13 on a 5-point scale) in participants’ answers also suggests that “over-confident leaders may be ‘lulled’ into believing there are few challenges they face in managing the confidentiality, integrity and availability of their organization’s information and technology infrastructure, and may be susceptible to ‘dropping their guard.’”

The survey also found notable gaps in key areas of cybersecurity, with 18 percent of respondents reporting that their organization does not conduct phishing tests, and 69 percent of participants indicating that they still had at least some legacy systems in place.  “As current and patched operating systems are foundational to secure information environments, running a legacy operating system is an ill-advised practice,” the report stressed. “Operating systems that have been unsupported for five, ten or more years (decades in some cases) greatly increase a healthcare organization’s risk of being compromised.”

The complete HIMSS 2019 Cybersecurity Survey is available here.