Major security incidents are the new normal for hospitals and health systems
The newest healthcare cybersecurity report from HIMSS was published Tuesday, and even a cursory glance at recent headlines will bear out its chief conclusion: "Most organizations are experiencing significant security incidents. Significant security incidents are the norm."
WHY IT MATTERS
The 2020 HIMSS Cybersecurity Survey gathered feedback from 168 US based healthcare cybersecurity professionals – mostly IT and infosec leaders at provider organizations, but also some consultants and vendors – to offer an updated snapshot showing the of the current security landscape. (HIMSS is the parent company of Healthcare IT News.)
The big takeaway is that breaches, ransomware and other security incidents are getting bigger and more disruptive at healthcare organizations, with scam artists, cybercriminals and even nation-state actors becoming ever more brazen and persistent.
Phishing remains the most common initial vulnerability, allowing bad actors an entry point from which they can exploit hospital IT systems.
"Phishing is the number one way that attackers are getting into your systems and networks," said HIMSS Director of Privacy and Security Lee Kim.
"What are attackers after? Financial and employee information [is] the most prized," she said. "Going after the money is the number one goal. Employee information is also hot, as this information is valuable for both phishers and identity thieves."
Interestingly, patient information was only number three on the list.
Most of the time, "disruption of information technology operations and business operations are typical outcomes of cyberattacks," according to the report – and most of the time, that disruption is temporary and relatively limited in scope.
However, "disruption of clinical care, or damage or destruction of clinical care systems and devices also occurs," the report notes.
And, as seen several months ago in Germany, sometimes that disruption can prove fatal for vulnerable patients.
Even given the widespread worry that delays in care as in that incident – or attacks on connected medical devices or vulnerable IoT systems – could cause adverse events, "patient safety impacts are likely underreported," according to the report.
"There is a lack of available mechanisms for identifying and detecting patient safety impacts," researchers wrote. "The respondents reporting patient safety impacts were asked if effective mechanisms were in place to detect patient safety issues related to significant security incidents.
"Sixty-one percent of these respondents indicated that their organizations did not have effective mechanisms in place," they added. "Because of the clear nexus between patient safety and cybersecurity, it is clear that more organizations need to have effective mechanisms for detecting patient safety issues."
THE LARGER TREND
The survey emphasizes that the attacks on the healthcare space are getting bigger, more complex and more damaging in general.
"Significant security incidents continue to plague healthcare organizations of all types and sizes," the researchers wrote.
Moreover, the sheer variety of ways vulnerabilities can be exploited shows the size of the challenge for CISOs, CIOs and other security leaders. According to HIMSS, the most common significant security incidents were:
- Phishing attacks (reported by 57% of respondents)
- Credential harvesting attacks (21%)
- Social engineering attacks other than phishing (20%)
- Ransomware or other malware (20%)
- Theft or loss (16%)
- Website or web application attacks (14%)
- Negligent insider activity (13%)
- Breach or data leakage (11%)
- Malicious insider activity (10%)
Despite all this risk, cybersecurity budgets are still not up to where they should be at most healthcare organizations according to the report, with just 6% or less of information technology budgets typically allocated for cybersecurity.
And despite the heightened risk – as illustrated most recently by a sobering ransomware warning from the Cybersecurity and Infrastructure Security Agency, the FBI and HHS – "budgets are mainly static," said researchers. "Cybersecurity budgets generally did not change from the prior year."
Even more challenging is the fact that most provider organizations are running on old or even outdated technologies.
"Legacy systems are the norm [and] are pervasive in healthcare," according to HIMSS. Meanwhile, the "footprint of legacy systems is significantly growing," with Windows Server 2008, Windows 7 and Windows XP still in place.
At least health systems are doing adequately with basic controls in place. For instance, the report notes, lukewarmly, "most, but not all, organizations have firewalls and anti-virus software in place" by now.
At other organizations, "some progress is being made for basic and advanced controls," including system monitoring, patch and vulnerability management tools, and multi-factor authentication.
Likewise, "more comprehensive security risk assessments [and] end-to-end security risk assessments are being done," even if there's "room for improvement," according to HIMSS – which also notices that "new or improved security measures are being implemented, and drafting, revising, and/or testing policies, procedures, and documentation are being done as a result of security risk assessments."
Still, one ongoing vulnerability is that "business continuity and disaster recovery plans are nonexistent or very weak at many healthcare organizations," according to the report. "Frequently, these plans are not tested until an actual incident occurs. In the case of a significant security incident, chaos can ensue and enormous costs can mount.
"Without a doubt, healthcare organizations should be proactive with developing, implementing, testing and training. These actions are necessary for robust business continuity and disaster recovery plans. The plans should also continue to evolve based upon lessons learned."
ON THE RECORD
"Most healthcare organizations are experiencing disruption of their systems," said Lee Kim of HIMSS. "Some experience disruption of clinical systems. Do you have a backup plan in case your system goes down? We’ve already had the first documented case of a patient death due to a ransomware attack. We don’t want the trend to continue. We have to be vigilant with our plans."
Read the full 2020 HIMSS Healthcare Cybersecurity Survey.