Healthcare Industry Spending More on Security But Not Ready for Cyberattack

December 14, 2015

Two-thirds of the nation's healthcare provider organizations have experienced some kind of cyberattack in recent years and increased spending on data security hasn't improved the industry's readiness against attacks, according to a survey conducted by HIMSS.

The 2015 HIMSS Cybersecurity Survey found that the majority of respondents (87 percent) also indicated that information security had increased as a business priority at their organizations over the past year, resulting in improvements to security posture, such as improvements to network security capabilities, endpoint protection, data loss prevention, disaster recovery and information technology (IT) continuity.

However, despite the protective technologies implemented at healthcare organizations, respondents reported an average level of confidence with their organization’s ability to protect their IT infrastructure and data. Survey respondents were most confident their organizations could defend against a brute force attack (4.77) and least confident their organizations could protect against a zero day attack (3.82).

Indeed, two-thirds of respondents indicated their healthcare organizations had experienced a significant security incident in the recent past. And while the single largest source of a security incident was a negligent insider, 64 percent of respondents noted an incident at their organizations by an external actor, such as an online scam artist, hacker, or through social engineering. Furthermore, while the majority of respondents noted that security incidents were detected within 24 hours, approximately 20 percent of these security incidents ultimately resulted in the loss of patient, financial or operational data.

Additionally, respondents noted that today’s security tools are not going to be sufficient to protect the industry against the types of security threats their organizations expect to face in the future. Indeed, respondents were widely likely to indicate that more innovative and advanced tools are required to secure their environments in the future. Furthermore, they indicated that healthcare organizations must operate from a perspective which presumes their organization’s perimeter has already been breached. Moreover, more than half of respondents (59 percent) indicated agreement with the statement “cross-sector cyber threat information sharing is beneficial to my organization.”

Finally, respondents reported being highly concerned about the prospect of a future attack against their organizations. They were most likely to be concerned about phishing attacks, negligent insiders and advanced persistent threat (APT) attacks.

Other key survey results included:

Security Tools and Technologies: Healthcare organizations continue to rely on technologies such as anti-virus software, firewalls and data encryption to secure their IT environments. Respondents were much less likely to report their organizations used multi-factor digital identity (where digital identity is used for authentication), dynamic biometric technologies and dark web research.
Assessment of Network Defense and IT Security Capabilities: Respondents were most likely to report the use of risk assessments and vulnerability scans to assess their organization’s security. Only 12 percent reported their organization conducted a mock cyber defense exercise.
Motivators for Improving Information Security Environments: The top motivators for improving information security environments included results of risk assessments and concerns about phishing attacks and viruses/malware.
Detecting Security Incidents: The majority of respondents indicated that security incidents at their healthcare organizations were identified by an internal resource, such as an internal security team. Only 17 percent of respondents indicated that security incidents were identified by an external source, such as a patient whose information was compromised or a law enforcement agency.
Sources for cyber threat intelligence: Nearly 60 percent of respondents reported getting information about cyber threat intelligence from their peers (i.e., word of mouth). Third party vendor threat intelligence feeds (49 percent) and US Computer Emergency Readiness Team (CERT) alerts were also fairly widely used (45 percent).
Investigating Security Incidents: More than half of respondents reported that an external organization, such as a vendor/consultant or law enforcement agency, was brought in to investigate their security incidents. However, nearly half reported their healthcare organizations addressed the security incidents solely through an internal investigation.
Barriers to Mitigating Security Events: While respondents were most likely to indicate that lack of staffing and lack of financial resources were key barriers, 42 percent also indicated that there were too many emerging and new threats to keep track of.
External threat actors: Two-thirds of respondents reported a high degree of concern related to external threat actors. In comparison, 42 percent of respondents reported a high degree of concern in regard to insider threat actors.

The full survey is at http://www.himss.org/2015-cybersecurity-survey/executive-summary

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.