4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG

The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat.

The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms has suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack.

The survey was conducted on CIOs, CTOs and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers and insurers’ cybersecurity measures assessed via the questionnaire.

The report shows that in spite of the increased threat to data security, healthcare organizations are ill prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real time, as they lack the necessary software systems to do so. The report says, “The healthcare sector lags in terms of its preparedness for cyber threats.”

Head of Health and Life Sciences Cyber Practice for KPMG, Michael Ebert, told Modern Healthcare, “I would argue that many of the providers aren’t even aware that their systems have been compromised,” he went on to say, “They don’t necessarily know who’s in their systems or what’s occurred.”


Main Findings of the KPMG Healthcare Cybersecurity Survey


  • A quarter of respondents were dealing with weekly or daily cyberattacks: 13% of respondents claimed to be currently targeted by hackers, and had to defend against at least one attack every day. 12% reported being targeted 2 or more times every week.
  • 44% claimed to have suffered between one and 50 cyberattack attempts in the past 12 months, 38% said they suffered between 50 and 350 attempted hacks, while 13% reported suffering more than 350.
  • 65% said malware was the main threat, 26% said botnets and 26% rated internal sources of attack as being the most common threats.
  • The main information security concerns were malware (65%), HIPAA violations (57%), employee theft and negligence (40%), and old hardware (31%)

The report cites five factors that have increased the threat level in recent years: The move to digital records; the use of outdated applications and EHRs, the comparative ease of stealing information (via portable devices, mobiles and the cloud), variations in healthcare network systems, and a rapidly evolving threat landscape.

The report concludes with four key areas that healthcare organizations must address to tackle the growing threat of attack, and suggests threat management and breach prevention requires a totally different approach.

  1. Healthcare providers must reassess their cybersecurity defenses, and redesign and develop a security implementation plan – Achieving interconnectivity via evolution does not allow sufficient controls to protect data from attack.
  2. One individual must be appointed with overall control of cybersecurity, and a dedicated cybersecurity team should be developed. 19% of providers and 8% of payers have not appointed a leader to deal with information security, while 25% of providers and 20% of payers do not have an information security operations center.
  3. Cybersecurity awareness is critical – a “risk aware” culture must be developed.
  4. Cybersecurity measures require a bread view – Third party vendors pose additional risks, and they too much be encouraged to identify and address cybersecurity risks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.