With any technology, more use means one thing – the need for more security.
For every technological innovation that organizations want to deploy, there’s someone out there who wants to hack it. Protecting personal health information is of vital importance given its depth and extremely personal nature.
The 2019 Cybersecurity Survey from HIMSS reflects an industry attempting to grapple with security issues, focusing on cybersecurity professionals in healthcare as the industry expands both in the number of patients and the capabilities of the technology it uses.
A Near-Universal Experience
According to the survey, the volume of cybersecurity attacks has increased over the years. The report states, “Significant security incidents are a near universal experience in U.S. healthcare organizations with many of the incidents initiated by bad actors, leveraging email as a means to compromise the integrity of their targets.”
The use of email to break into a private computer system is an old but, unfortunately, still very effective way of hacking a system. It’s even one of the featured methods used by companies that are hired by organizations to find weaknesses in computer systems.
One of the biggest weaknesses remains people who do not resist opening suspicious emails. “Think before you click” is a mantra for cybersecurity experts.
All this has led cybersecurity leaders in healthcare to focus on ways to improve how they are protecting systems. Thankfully, according to the HIMSS report, more healthcare organizations are starting to put increased dollars into cybersecurity.
Where the Attacks Come From
The findings of the report are based on a survey of 166 health information security professionals based in the United States. These are people already working in health IT, reporting what they have experienced.
According to the report, most attacks in the healthcare industry involve “bad actors” using email and other means to infiltrate a system, as well as hackers who look for bugs to enter a system. Such “bad actors” account for 57% of all hospital cyber-attacks.
In cases involving hospitals, about 6% of these bad actors were malicious insiders – people who worked on a system and stole information from it.
About 35% of breaches are caused by “benign actors.” This includes people who work for the hospital, an outside vendor or a researcher. All are well-meaning but accidentally cause data breaches through errors.
The report states that “human error is also a significant initial point of compromise.” This can include accidentally posting patient information to a public website or inadvertently leaking data.
Cybersecurity Solutions for Health IT
Clearly, there is a need for those in health IT with extensive training in health informatics and computer systems. Leaders in the field are needed not only to ensure that systems are up-to-date on the technical side, but also to institute training programs for those with access to electronic healthcare systems.
That’s because 84% of all data breaches occurred due to email phishing or human error, according to the report. Both are preventable with the proper training.
Fortunately, health IT leaders report that they feel empowered to create changes within their systems. Almost 60% either agreed or strongly agreed that cybersecurity professionals were empowered by business leaders to drive change throughout their organizations.
Also, 72% said their budgets increased by 5% or more for the latest budget year.
Where the Gaps Exist
Even though the survey shows where most of the issues originate and cybersecurity professionals feel empowered to make changes, gaps remain.
The survey identities two primary areas where gaps exist.
Email phishing tests– Despite the majority of cyber-attacks coming through email phishing, almost 20% of organizations – and 36% of non-acute care organizations – did not do phishing tests. The report notes that “it is incredible that any organization in this environment would not be testing a known vulnerability.”
Legacy systems– Many healthcare systems continue to use unsupported legacy systems, including in medical devices and industrial control systems. About 69% of respondents said this is the case in their system.
The report states that a legacy system “is an ill-advised practice.” It notes that some systems are decades old and “greatly increase” the chance an organization will be hacked.
These are some of the critical issues raised in the report. They paint a picture of a healthcare system that still has far to go in terms of cybersecurity from both a technical and training perspective. Those who want to become leaders in this field face a wealth of opportunity in guiding health systems into the digital future.