Healthcare organizations are underestimating cybersecurity risks
The WannaCry, Petya and NotPetya attacks show that cybercriminals can do a lot of damage in healthcare. Then there are the countless hacks and attempted hacks that healthcare CIOs and CISOs must deal with on a daily basis that don’t get all the attention of the high-profile assaults. Cybersecurity is a deadly important business in healthcare. The stakes are being raised.
According to a new healthcare cybersecurity survey from consulting giant KPMG, 47 percent of healthcare providers and health plans said they had instances of security-related HIPAA violations or cyber-attacks that compromised data compared with 37 percent in KPMG’s 2015 survey.
However, when asked about “readiness to defend against a concerted cyber-attack,” 35 percent said they are “completely ready” versus 16 percent in 2015, according to the KPMG 2017 Cyber Healthcare & Life Sciences Survey, which asked 100 C-level technology, information and security executives at healthcare providers and health plans about their overall readiness, vulnerabilities and resources dedicated to protecting data.
Healthcare provider organizations have been struck by a variety of types of attacks. During the past 12 months, of known cyber-attacks, 36 percent of organizations experienced phishing e-mails that resulted in a compromise, 54 percent a single-system-based malware introduced through human error, 70 percent external hacking of a vulnerability, 20 percent an internal bad actor, and 26 percent a third-party device product or service, the survey found.
Asked if any of these types of attacks resulted in ransomware being introduced into their IT ecosystem, 34 percent of healthcare organizations said yes, 62 percent said no, and 4 percent were not sure, the survey said. Of those hit by ransomware, 41 percent paid the ransom.
Despite the rising threats, KPMG’s survey found that cybersecurity as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cybersecurity investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior twelve months (66 percent versus 88 percent in the 2015 survey).
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cybersecurity risks,” said KPMG healthcare advisory leader Dion Sheidy. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”
The WannaCry ransomware hack in May was a warning shot against healthcare’s collective ability to protect patient safety and privacy, Sheidy added.
KPMG’s survey found that both payers and providers were opting to focus on investing in technology rather than process and staffing.
“A solid cybersecurity program needs people, processes and technology, and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” said Michael Ebert, leader of KPMG’s cybersecurity group in healthcare and life sciences. “Software can only protect you so far and staff is important when it comes time to respond to a data breach.”
Survey respondents not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board, Ebert added.
Only 15 percent of respondents said that increased or higher quality staffing are needed to make their organizations more effective in cybersecurity, while an “overarching strategy” was seen as the biggest need by 24 percent. “Stronger processes” at 21 percent and “increased funding” and “better technology” at 20 percent were also cited as big needs. Staff (hiring, training) ranked last at 24 percent in areas where organizations planned to make investments, trailing planned investments in stronger policy, technology, consulting, managed services and hardware.