The State of Healthcare Cybersecurity

On February 21, 2022, HIMSS published its annual cybersecurity survey [1]. This annual survey is designed to provide insight into the state of healthcare cybersecurity and includes feedback from 167 healthcare cybersecurity professionals.

The survey highlights the continuing risk to healthcare organizations. 98% of the organizations responding had experienced security incidents, with 44% of the respondents saying the security incidents were either high risk or critical risk to their organization. Of those organizations reporting incidents, 57% said their most significant security incident was related to phishing attacks. 

While healthcare organizations often feel the highest risk is patient information, it was interesting that the respondents noted that financial information and employee information were more often the targets of attacks. This suggests that organizations should ensure their cybersecurity practices are enterprise-wide, not just related to medical information.

The HIMSS survey results mirror the Federal Bureau of Investigation (FBI) Internet Crime Report 2021, which included phishing and exploitation of software vulnerabilities among the top initial vectors for ransomware attacks. The FBI report also pointed out that the most common victim of a ransomware attack in 2021 was healthcare organizations [2], logging 148 reported complaints, representing 22% of all complaints received by the FBI.

Healthcare is still under attack, and the truth is that the industry has significant opportunities to improve security. The HIMSS survey also pointed out that healthcare organizations continue to have significant gaps in their security frameworks. For example, many respondents reported having unsupported operating systems such as Windows NT, Windows XP, and Windows 2008. The use of these unsupported operating systems exposes an organization to significant risk as these products are not updated to address newly identified gaps. 

HIMSS respondents also noted that healthcare organizations have not fully implemented basic security controls: 

 

The information provided by HIMSS and the FBI is also supported by a review of the largest healthcare data breaches for 2021. The most significant breach in 2021 was the Accellion File Transfer hack which impacted approximately 3.5 million records and was the result of hackers’ exploitation of a 20-year-old file transfer system [3]. Another breach of 3.5 million records experienced by Florida Healthy Kids was blamed on the failure to apply security patches to software [4]. 

Additional evidence suggests that the entry point for several healthcare ransomware attacks is via a phishing email. In 2020, the Cybersecurity and Infrastructure Agency (CISA), the FBI, and the Department of Health and Human Services published a Joint Cybersecurity Advisory on ransomware that provided details to the industry on the methods used by cybercriminals against healthcare, which specifically points out that several of the most common tactics used to take over systems are introduced via ransomware [5].

What Can You Do?

If you are a healthcare provider, realize that you are a target. Healthcare continues to be a leading target for bad actors partially because inadequate cybersecurity practices make it easy for them to penetrate your systems.

If you aren’t already doing so, perform an annual enterprise-wide risk assessment and share those results with your management and governing body. Make sure your team is aware of your risks. And then develop a plan to address those risks.

Make sure that your organization is aware of the risks by completing security training and phishing testing, and that they know to whom to report security concerns. 

Evaluate your business associates and partners to make sure they are protecting your data. If they are required to do formal audits or assessments such as SOC 2 or HITRUST Certification, be sure to obtain the entire report and review it for concerns. Remember that while a business may say they are “HIPAA Certified,” the truth is there is no formal HIPAA certification, so it’s your responsibility to make sure they are protecting your data.

CompliancePoint has experienced assessors who can help you evaluate your cybersecurity practices through a Breach Readiness Assessment or Cyber Risk Assessment. If you are interested in how we can help, please reach out to us at 855-670-8780 or connect@compliancepoint.com

---