HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Scores Poorly for Practicing the Cyber Incident Response

2021 was another record-breaking year for healthcare industry data breaches with over 50 million records breached and over 900 data breaches were recorded by databreaches.net. Given the extent to which the healthcare industry is targeted by cyber actors, the risk of a data breach occurring is high. A SecureLink/Ponemon Institute study in 2021 found 44% of healthcare and pharmaceutical companies experienced a data breach in the past 12 months.

While steps can be taken to improve defenses to prevent cyberattacks from succeeding, healthcare organizations need to be prepared for the worse and should have an incident response plan in place that can be immediately initiated in the event of a cyberattack. With proper planning, when a cyberattack occurs, healthcare organizations will be well prepared and will be able to recover in the shortest possible time frame.

Regular exercises should be conducted to ensure everyone is aware of their responsibilities and that the plan works. All too often, victims of cyberattacks discover their incident response plan is inefficient or ineffective due to a lack of testing, which can result in a slow and costly response to a cyberattack.

This month, Immersive Labs released its 2022 cyber workforce benchmark report, which included data from more than 2,100 organizations from a range of industry sectors that use the Immersive Labs platform for conducting cyber crisis simulations. Highly prized, high profiles targets such as technology and financial services performed the most cyber crisis exercises, running an average of 9 and 7 exercises per year respectively, but healthcare organizations were near the bottom of the list, performing an average of 2 exercises per year.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In the event of a cyberattack, many different people will be involved in the response. It is therefore important for those people to participate in exercises. It is unsurprising that the more people who are involved in incident response exercises the better prepared an organization will be to respond to a cyberattack. Immersive Labs scored the effectiveness of the exercises and found that every exercise that scored more than 90% for effectiveness had an average of 11 people participating. All but one of the crisis scenarios that scored less than 50% for effectiveness had just one person participating. In healthcare, an average of 4 individuals participated in the exercises, compared to 7 in technology and 21 in education.

Immersive Labs analyzed performance for the crisis response exercises and calculated a score based on the quality of decisions throughout the entire simulation. The average performance score across all exercises was 68%, which shows there is significant room for improvement. The leading industry sector was manufacturing, with a performance score of 85%. Worryingly, healthcare performed the worst out of all industry sectors for cyber crisis response by some distance, achieving a performance score of just 18% – considerably lower than the next worst-performing sector – financial services – which scored 45%.

Immersive Labs also analyzed the speed at which 35,000 members of cybersecurity teams at 400 large organizations took to develop the knowledge, skills, and judgment to address 185 breaking threats. On average, it took 96 days for teams to develop the skills to defend against breaking threats.  They found that mitigating against one vulnerability in the Exim mail transfer agent – which affected more than 4.1 million systems and was being actively exploited – took security teams over 6 months on average to master. CISA says vulnerabilities should be patched within 15 days from initial detection.

Developing the human capabilities to defeat attackers is a slow process, especially in healthcare. The best performing sector was leisure/entertainment, which took an average of 65 days for security teams to develop the necessary skills. In healthcare, it took an average of 116 days. Only consulting, infrastructure, and transport performed worse.  Across all industry sectors, the average time to develop the skills to respond to threats was 96 days.

“The modern cyber crisis is an all-encompassing organizational trauma. Stopping incidents bringing operations to a halt and destroying reputation, corporate value and stakeholder relationships requires a holistic response from the entire workforce,” explained Immersive Labs in the report. “Achieving this kind of resilience requires a continually maturing responsive capability for technical and non-technical teams, developed by exercising with a cadence that traditional tabletop exercises struggle to achieve… exercising to gather evidence, and then using these insights to equip teams with relevant skills, is critical to ongoing resilience.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.