“Healthcare records contain some of the most detailed personal information available, and healthcare organizations are not doing enough to protect this information.”[1]
Cyber-attacks on healthcare providers increased from 2016 to 2017 and are expected to increase again in 2018. In 2017, there were 477 reported healthcare breaches, compared with 450 breaches in 2016 – “an average of more than one health data breach per day.”[2]
The major findings from two significant healthcare cybersecurity studies further outline the healthcare industry’s cybersecurity weaknesses. The conclusions from these two reports, the Verizon 2018 Protected Health Information Data Breach Report and the SecurityScorecard 2018 Healthcare Report, are worth quoting in full.
From the SecurityScorecard 2018 Healthcare Report (quoting):
- Healthcare organizations overall have struggled to keep up with growing cybersecurity demands and have increasingly fallen victim to sophisticated attackers.
- The healthcare industry ranks fifteenth in terms of cybersecurity health when compared to 17 other major U.S. industries.
- The healthcare industry is one of the lowest performing industries in terms of endpoint security.
- Social engineering attacks continue to be a common attack vector.
- The most common cybersecurity issues in the healthcare industry relate to poor patching cadence.
- Healthcare organizations, even top performers, struggled with patching cadence and network security.
From the Verizon 2018 Protected Health Information Data Breach Report (quoting):
- 58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization.
- Medical device hacking may create media hype but the assets most often affected in breaches are databases and paper documents.
- Ransomware is the top malware variety by a wide margin. 70% of incidents involving malicious code were ransomware infections.
- Basic security measures are still not being implemented. Lost and stolen laptops with unencrypted PHI continue to be the cause of breach notifications.
Compounding these issues is the fact that healthcare companies are not spending enough on security, averaging just 3 percent of their IT budgets. “Health care companies should be spending at least 10 percent of their information technology budgets on security, says Lisa Gallagher, a cybersecurity expert at HIMSS — and up to 40 percent for companies that are just getting started, says Michael Garvin of Symantec.”[3] For comparison, the average for the finance industry is 10-12 percent of IT budget.[4]
The combination of extensive private data and an inadequate security focus has made healthcare organizations attractive targets for attackers and, all too often, victims of their own errors.
References:
[1] SecurityScorecard, 2018 Healthcare report: A Pulse on the Healthcare Industry’s Cybersecurity Risks.
[2] Protenus, 2017 Breach Barometer Annual Report.
[3] Politico, “Billions to install, now billions to protect,” 6/1/2015.
[4] Healthcare Informatics, “Risk Management is Maturing, But Cybersecurity Gaps Still Loom, Report Finds,” 3/2/2018.