HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past year and 33% of those respondents said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.