I recently had a conversation with the head of security for a major healthcare organization in the Southwest U.S. as our staff prepped for the magazine’s current issue. We had scheduled the obligatory physical security features in the healthcare section; however, I was told we were neglecting a key element in-hospital risk mitigation – cybersecurity. We certainly realized the threat vectors and frequency for cyber incidents in the healthcare sector were severe, but a just-released research piece highlights just how bad it is.
The 2021 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey provides insight into the state of healthcare cybersecurity based upon the feedback from 167 healthcare cybersecurity professionals, including the myriad challenges these organizations face because of tight budgets, aging infrastructure and an increase in social engineering and ransomware attacks. It is a stunning revelation.In this survey, 67% of respondents indicated that their healthcare organizations experienced significant security incidents during 2021. “The severity level of the most significant security incident in the past 12 months has typically been medium (35%) or high (32%), but some have been characterized as critical (12%) or low (20%). Respondents rated the severity level based upon their own criteria, including the perceived impact to the organization.”
The survey found that phishing attacks among healthcare facilities were the most significant security incident, with 45% of respondents citing it above ransomware (17%). The report states that “ransomware and phishing attacks frequently make the headlines when healthcare organizations experience a significant cyber-attack. It could be, though, that healthcare organizations are looking more for phishing and ransomware attacks compared to other types of significant security incidents.”
Phishing is particularly insidious in a healthcare environment, especially during a hectic pandemic scenario, because of weary and stressed staff, a constant rotation of new hires and a simple lack of training during chaotic shifts. A majority of respondents (57%) reported that the most significant security incident typically involved phishing. Specifically, the types of phishing reported included the following: general email phishing (71% of respondents), spear-phishing (67%), voice phishing/vishing (27%), whaling (27%), business e-mail compromise (23%), SMS phishing (21%), phishing websites (20%) and social media phishing (16%).
“Even with these alarming numbers in both the growth of attacks and effectiveness of the attacks - security budgets are locked at the same percentage of IT spending. This of course screams those enterprises better utilize the resources that they have to identify and mitigate these attacks. Given that the vast majority of attacks are identity-based attacks (email, voice and SMS phishing) -- it is imperative that enterprises are both periodically and dynamically monitoring their accounts -- especially the privileged accounts for changes in behaviors and entitlements,” says Garret Grajek, the CEO of YouAttest, a cloud-based access review engine.
The 2021 survey also found that hospital financial information (52%), employee information (43%) and patient information (39%) were the primary targets of threat actors. The most discouraging news for hospital administrators is that 24% of respondents reported that their cybersecurity budgets have no specific carve out, while another 40% reported that six percent or less of the information technology budget was allocated to cybersecurity.
This is a concern for Nasser Fattah, the North America Steering Committee Chair for Shared Assessments, which is a member-driven organization delivering secure and resilient third-party partnerships, who admits his users are the sector’s first line of defense.
“With the appropriate ongoing security awareness training, we can equip our users to be our human firewalls to further defend against social engineering, including phishing, which continues to be the ‘go-to’ approach for bad actors because of its success,” he says. “Here appropriate ongoing, not a one-time deal, security awareness is key because it needs to be tailored in language best understood by our users, small digestible info sessions to provide better focus, personalized so users can also use the training to protect themselves and loved ones, and simple actionable steps to take with defending, to name a few. Lastly, it is important to understand what success looks like for an effective security awareness program, and then introduce metrics to measure that success.”