HIMSS Healthcare Cybersecurity Survey

The 2020 HIMSS Healthcare Cybersecurity Survey provides insight into the landscape of U.S. healthcare organizations based on feedback from 168 U.S.-based industry professionals.

Significant security incidents continue to plague healthcare organizations of all types and sizes. Phishing is the most common type of significant security incident. Phishing is typically the initial hook for significant security incidents. Both targeted phishing (spear-phishing) and general phishing are equally effective for infiltrating organizations.

The main threat actors are typically cybercriminals and online scam artists. Financial information and employee information are frequently targeted by these threat actors. Financial information may be used for monetary gain. Employee information may be used for identity theft and reconnaissance purposes. Disruption of information technology operations and business operations are typical outcomes of successful cyberattacks. However, a few respondents also reported serious patient injury or harm.

Cybersecurity budgets are still lacking with typically 6% or less of the information technology budget allocated for this purpose. Many organizations are unable to improve their information technology infrastructure and cybersecurity posture as a direct result of having too little funding. A large attack surface exists within many healthcare organizations due to the profound lack of resources.

Relatively few healthcare organizations are conducting end-to-end security risk assessments. Many risks are unaddressed, due to the lack of comprehensive security risk assessments. Furthermore, the legacy system footprint is growing within many healthcare organizations. Sensitive information is exposed and such systems are vulnerable to attack.

Basic security controls such as firewalls and anti-virus software are not universally used by healthcare organizations. Seemingly, too, a patchwork of basic and advanced security controls are in place. But, this paints a picture of a leaking sieve. Instead, healthcare organizations need to adopt next generation technology to replace costly, aging infrastructure. Increased security awareness training of all personnel to help combat phishing is also a necessity.

Further, because many healthcare organizations are dependent upon technology, robust cybersecurity is a must. Healthcare organizations should devise plans for upgrading or replacing legacy systems, conducting end-to-end security risk assessments, enhancing cybersecurity awareness and training programs, and increasing budgets. Robust healthcare cybersecurity is essential for normal operations, patient safety and data protection.

Simply put, cybersecurity needs to be a fiscal, technical and operational priority for all healthcare organizations. Patient lives depend upon the confidentiality, integrity and availability of data, as well as reliable and dependable technology infrastructure.