In a 2018 HIMSS Cybersecurity Survey, respondents included healthcare providers, vendors and consultants. Respondents’ roles included executive management, non-executive management and non-management professionals.
Purpose and Scope of the 2018 HIMSS Cybersecurity Survey
The 2018 HIMSS Cybersecurity Survey sought to answer two overarching questions:
- How far has the healthcare and public health (HPH) sector progressed in cybersecurity?
- Who is doing what in cybersecurity?
Most Organizations Have Experienced a Recent Significant Security Incident
Respondents were asked about whether their organizations experienced a significant security incident in the past 12 months. A majority number of respondents, 75.7 percent, stated their organizations did experience a significant security incident. However, 21.2 percent of respondents claimed their organizations did not.
Top Threat Actors: Online Scam Artists, Negligent Insiders and Hackers
It was also asked of the respondents whose organizations experienced a recent significant security incident to characterize the threat actor – namely, the type of actor they believe were responsible for the recent significant security incident. The top type of threat actor was the online scam artist (e.g., phishing, spear phishing) at 37.6 percent of respondents. Negligent insiders, 20.8 percent of respondents, and hackers, 20.1 percent of respondents, were also frequently identified as threat actors responsible for the recent significant security incident.
Initial Point of Compromise: Primarily Email
By far, the initial point of compromise was email for organizations experiencing a recent significant security incident at 61.9 percent of respondents. Other responses ranged from compromised organizational websites to compromised cloud provider/service. Generally, 2 percent or 3 percent of respondents indicated initial points of compromise such as these.
Healthcare Organizations are Making Some Progress
A significant number of respondents, 84.3 percent, indicated that their organizations have increased the use of resources (e.g., people, assets, other resources) compared to last year. Unfortunately, however, significant barriers to mitigating and remediating security incidents included lack of people, 52.4 percent of respondents, and lack of financial resources, 46.6 percent of respondents. Coupled with the usual state of hospitals running on thin profit margins (with some in the “red”), healthcare organizations struggle with providing enough money, resources and people to run their cybersecurity programs.
On a positive note, however, risk assessments are generally done at least once a year, 69.7 percent of respondents, and taking proactive actions post-risk assessment, such as adopting new or improved security measures, 83.1 percent of respondents, replacing or upgrading security solutions, 65.1 percent of respondents, or replacing hardware, software, devices, etc., that are end of life or have been deprecated, 56.6 percent of respondents.
Room for Growth
Nonetheless, the HPH sector has definite room for growth. For example, there is a lack of uniformity in regard to consumption of cyber threat intelligence sources. The top three resources included:
- Peers (word of mouth) at 68.6 percent of respondents
- US CERT alerts and bulletins at 60.0 percent of respondents
- HIMSS resources (e.g., monthly healthcare and cross-sector cybersecurity reports, etc.) at 63.8 percent of respondents
Furthermore, less than half of respondents, 44.9 percent, indicated that their organizations have formal insider threat management programs.
Priorities and Future State
Healthcare organizations have a wide variety of priorities for their cybersecurity programs, ranging from incident response to medical device security, 10 percent to 12 percent of respondents across all categories. When asked about whether there is a concern about failure or disruption of another critical infrastructure sector, however, we found that the majority of respondents were concerned about the information technology and communication sector (e.g., internet and other computer networks) and the IT sector.
While there is definitely room for improvement, compared to the previous few years there is some positive movement in regard to cybersecurity programs, instead of a “flatline” trend. Yes, healthcare cybersecurity programs are making progress – we are alive and kicking.