A recent Ponemon Institute survey has disclosed 62% of healthcare companies have experienced a data breach in the past 12 months. More than half of those companies faced data loss as a consequence.
The Merlin International backed survey was carried out on 627 healthcare industry leaders from hospitals and payer companies. 67% of respondents worked in hospitals with 100-500 beds and had an approximated 10,000 to 100,000 networked appliances.
Last year over 5 million healthcare files were stolen or exposed, and the healthcare was the second most targeted industry after the business sector. 2017 was the fourth successive year that the healthcare industry has been second for data breaches and there are no indications that cyberattacks are expected to decrease over the coming year.
Although there is a high possibility of going through a cyberattack, 51% of surveyed companies have not yet implemented an incident reaction program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute indicated, a quick reaction to a data breach can restrict the damage caused to breach sufferers and decrease the cost of alleviating such an attack. Respondents informed that the cost of alleviating an attack and coping with the effect from a network compromise was roughly $4 million.
When asked about the largest dangers to their company and the kinds of attack that caused the most anxiety there was little to select between external and internal dangers, which were rated as a top concern by 63% and 64% of respondents respectively. The key perceived targets for hackers were electronic medical files (77%), patient billing information (56%), login identifications (54%), other authentication identifications (49%), and research information (45%).
The ways used to gain access to systems and data were highly different. The main technique of attack was the abuse of software and operating system weaknesses and the use of malware. 71% of respondents said weaknesses were abused while 69% said attacks involved the use of malware. 37% of companies had experienced ransomware attacks.
The security of medical appliances is the main concern, particularly since they are a blind spot in many companies. 65% of respondents said medical appliances were not included in their complete cybersecurity plan or they did not know if they were. 31% of respondents said they didn’t have any plans to include medical appliances in their cybersecurity plans in the near future.
The HHS’ OCR has raised consciousness of the requirement to provide constant safety consciousness training to staff and businesses such as Cofense have published data to display how safety consciousness training and phishing replications can greatly decrease vulnerability to phishing attacks. Nevertheless, several healthcare companies are not paying attention to that guidance and are not providing training consistently. Several healthcare companies are still only providing safety consciousness training to workers annually. It is for that reason expected that 52% of respondents said a lack of worker safety consciousness was obstructing their capability to improve their safety posture.
74% believed the largest hindrance avoiding them from improving safety was staffing problems and 60% said they don’t have staff with the correct cybersecurity qualifications in-house. 51% of respondents said that they have not yet hired a Chief Information Security Officer (CISO).