The recently released 2019 HIMSS Cybersecurity Survey reveals a number of positive developments by U.S. healthcare organizations to address cybersecurity threats. Respondents indicated a multitude of positive advances in cybersecurity practices designed to fortify their organizations; however, major cybersecurity challenges from 2018 will persist.
“From increasing the amounts allocated in IT budgets for cybersecurity activities to uniformity in security risk assessments, a growing wealth of cybersecurity resources are available for healthcare leadership to stay ahead of privacy and security threats,” said Rod Piechowski, senior director of health information systems at HIMSS. “While leaders should be encouraged by these findings, they also need to consider the notable information security gaps identified in this year’s survey.” If left unaddressed, he explained, these gaps have the potential to threaten the information integrity of the healthcare ecosystem.
Bad Actors Remain Prevalent
The majority of threat actors involved in security incidents (57 percent) can be characterized as bad actors (e.g., cybercriminals and others with malicious intent). Online scam artists continue to be the most frequently cited threats (28 percent in 2019; 30 percent in 2018). Negligent insiders (20 percent) are also cited as contributing to related security incidents.
Email Phishing Still a Major Threat
Of the respondents, 59 percent cited email as the most common point of information compromise, indicating that in 2019, phishing emails continue to be a significant security threat. Despite this, a remarkable 36 percent of non-acute care organizations claimed their organization does not conduct phishing tests.
“It is incumbent on healthcare leaders to ensure internal personnel have the training and resources needed to ensure robust internal information security practices are in fact practiced,” Piechowski said. “Organizations not conducting phishing tests create a vulnerability for those parts of the ecosystem they touch.”
Cybersecurity Budgets Continue to Increase
The majority of respondents (55 percent) reported that some designated amount of their current IT budget is allocated for cybersecurity purposes. Additionally, 72 percent indicated their cybersecurity budgets increased by 5 percent or more (38 percent) or remained the same (34 percent).
Legacy Systems are Pervasive
A majority of respondents (69 percent) indicated that they had at least some legacy systems (older clinical technology systems) in place at their healthcare organizations. “Operating systems that have been unsupported for five, ten, or more years – decades, in some cases – greatly increases a healthcare organization’s risk of being compromised,” said Piechowski. “This is particularly significant in light of recent international cyber-attacks such as WannaCry and NotPetya.”
For a deeper dive into the 2019 HIMSS Cybersecurity Survey results, explore the full report.