HIMSS Cybersecurity Survey Suggests the Human Factor is the Largest Vulnerability in Healthcare

The Healthcare Information and Management Systems Society (HIMSS) has published the findings of its 2021 Healthcare Cybersecurity Survey which revealed 67% of respondents have experienced at least one significant security incident in the past 12 months, with the most significant security breaches the result of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was conducted on 167 healthcare cybersecurity professionals, who had at least some responsibility for day-to-day cybersecurity operations or oversight.

The surveyed IT professionals were asked about the most significant security breaches they had experienced in the previous 12 months, and in 45% of cases it was a phishing attack, and 57% of respondents said the most significant breach involved phishing. Phishing attacks are most commonly conducted via email, with email-based phishing attacks accounting for 71% of the most significant security incidents; however, 27% said there was a significant voice phishing incident (vishing), 21% said they had a significant SMS phishing incident (smishing), and 16% said there had been a significant social media phishing incident.

Phishing was the most common initial point of compromise, accounting for 71% of the most significant security breaches, with social engineering attacks accounting for 15%. Human error is frequently the cause of serious data breaches, accounting for 19% of the most significant security breaches, with 15% caused by the continued use of legacy software for which support is no longer provided. The survey also revealed basic security controls have not been fully implemented at many organizations.

Ransomware attacks continue to plague the healthcare industry, and the attacks often cause major disruption and have high mitigation costs. 17% of respondents said the most significant security incident they suffered was a ransomware attack. 7% of respondents said negligent insider activity caused the biggest security incident, although HIMSS notes that healthcare organizations often do not have robust defenses against insider breaches, so it is possible that these types of breaches have been underreported.

Given the extent to which phishing leads to account compromises or more extensive cyberattacks, it is important for healthcare organizations to implement robust email security measures to block phishing emails and to also invest in security awareness training for the workforce. No single security solution will block all phishing attacks, so it is vital for the workforce to receive training on how to identify phishing and social engineering attacks. Teaching employees security best practices can help to reduce human error which frequently leads to data breaches.

The continued use of legacy systems once end-of-life has been reached can be a challenge in healthcare, but plans should be made to upgrade outdated systems, and if that is not feasible, mitigations should be put in place to make exploitation of vulnerabilities more difficult, such as isolating legacy systems and not exposing them to the Internet.

44% of respondents said their most significant breach had no negligible impact; however, 32% said security breaches caused disruption to systems that impacted business operations, 26% said security breaches disrupted IT systems, and 22% said security breaches resulted in data breaches or data leakage. 21% said the security breaches had an impact on clinical care, and 17% said the most significant security incident resulted in financial loss.

Despite the risk of cyberattacks, budgets for cybersecurity budgets remain slim. 40% of surveyed IT professionals said 6% or less of their IT budget was devoted to cybersecurity, which is the same percentage as the past four years even though the risk of attacks has increased. 40% of respondents said they either had a budget that has not changed since last year or had decreased, and 35% said their cybersecurity budget is not anticipated to change.

The HIMSS survey probed respondents to find out about the most significant security challenges, which for 47% of respondents was insufficient budget. Staff compliance with policies and procedures was a major challenge for 43% of respondents, the continued use of legacy software was an issue for 39% of respondents, and 34% said they struggled with patch and vulnerability management.

Employees making errors, device management, identity and access management, establishing a cybersecurity culture, data leaks, and shadow IT were also rated as major security challenges.

“The findings of the 2021 HIMSS Healthcare Cybersecurity Survey suggest that healthcare organizations still have significant challenges to overcome. These barriers to progress include tight security budgets, growing legacy footprints and the growing volume of cyber-attacks and compromises. Additionally, basic security controls have not been fully implemented at many organizations,” concluded HIMSS. “Perhaps the largest vulnerability is the human factor. Healthcare organizations should do more to support healthcare cybersecurity professionals and their cybersecurity programs.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.