HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.