In the healthcare industry and beyond, cyberthreats are everywhere.
According to the 2019 HIMSS Cybersecurity Survey, approximately 74% of respondents experienced a significant security incident in the previous 12 months. More than half these respondents cited email as the initial point of information compromise and 28% of respondents indicated that the cyberthreats were from online scam artists (e.g., phishers). Yet, 18% of respondents indicated that their organizations do not conduct phishing tests—creating vulnerability that puts the entire organization at risk.
Data breaches are expensive. According to the annual Cost of a Data Breach Study conducted by Ponemon, the U.S. currently pays an average of nearly $4 million per breach. In the healthcare sector, one breached patient record costs around $380.
Legacy systems greatly increase the risks an organization faces. Despite this, 69% of HIMSS Cybersecurity Survey respondents reported continued use of legacy systems within their organizations.
“Operating systems that have been unsupported for five, 10 or more years—decades, in some cases—greatly increase a healthcare organization’s risk of being compromised,” said Rod Piechowski, MA, CPHIMS, vice president of thought advisory at HIMSS. “This is particularly significant in light of recent international cyberattacks such as WannaCry and NotPetya.”
Lee Kim, JD, CISSP, CIPP/US, FHIMSS, director of privacy and security at HIMSS, shares with HIMSS TV that the industry has a long way to go to be able to fend off the next WannaCry—but collaboration can help us be better prepared.
The Australian Red Cross Blood Service dealt with a data breach of over 1 million donor records, with details like names, contact information, genders, dates, blood types and information on high-risk sexual behaviors. This private patient information was available to the public for 50 days. Instead of silently retreating from the public eye after the incident, the organization spoke out to share insights on what they learned from it.
“We felt that by being very transparent with stakeholders—the donors and also with government and the information commissioner—that we would make sure people were comfortable that we were doing everything possible to make sure any impact was mitigated,” said Marion Hemphill, general counsel for the Australian Red Cross Blood Service. “We really didn’t want to lose public trust, as the nature of what we do relies very heavily on it.”
Hancock Health, a U.S. hospital based in Indianapolis, Indiana, dealt with an attack that stemmed from a cyberthreat created using a third-party vendor’s account, which hackers gained access to and infected with SamSam ransomware. The hackers demanded ransom money within one week of the breach. After the files were recovered, the organization implemented a new security feature in order to detect similar incidents in the future and instructed employees to reset all passwords.
Darren Lacey, Johns Hopkins Medicine chief information security officer, shares with HIMSS TV his thoughts on the sector’s inherent problems and ways to keep up with hackers.
As alarming as these incidents may be, they are far from uncommon. For the second year in a row, the HIMSS Cybersecurity Survey identified online scam artists as the most frequently cited cyberthreat for significant security incidents and email as the initial point of compromise. Email phishing can either involve a threat actor eliciting sensitive information or malicious content, such as a malicious link, attachment, or calendar invite.
“People want to get things done, so they may take shortcuts and bypass security measures. They may also use passwords that are easy to guess,” said Piechowski, who helps conduct the annual survey at HIMSS. “On the other hand, especially in healthcare, they also want to help, so staff has the tendency to answer questions, make connections and try to keep the customers happy. Attackers take advantage of this potential weakness and that is why phishing is so effective.” Without proper training, staff may negligently click on a malicious link or open a malicious attachment. Negligent threat actors may unknowingly cause harm to an organization by falling prey to a phishing attempt.
We know that overlooking just one cybersecurity incident of ransomware can cost an organization millions—but bad actors often remain invisible following their attacks.
“What we’ve seen over time is as we’ve gotten better with shutting down some of the physical fraud, criminals have moved toward cyberfraud, and reason being they can do it at scale,” said Theresa Payton, CEO and president of cybersecurity firm Fortalice, and previous chief information officer for the White House.
“Oftentimes they can remain anonymous—they’re not going to get caught on a surveillance camera doing what they’re doing, and it’s really hard to do attribution and you rarely see anybody go to jail,” Payton said.
Tune in to the second installment of a four-part video series from HIMSS TV for a deep dive into the latest insights from cybersecurity experts, including Payton. You can also download a HIMSS Insights eBook on the topic to learn more.
By emphasizing data integrity within an organization, leaders will be better prepared to deter cyberthreats—and, if necessary, respond to them appropriately. With negligent insiders contributing to 20% of security incidents, cybersecurity awareness training and education should be a critical security measure for all organizations.
“A holistic approach goes beyond mere compliance and builds a security program designed for a specific organization’s needs,” said Piechowski. “Security is not, as leaders know, a one-size-fits-all solution, and they guide their organizations to identify the right balance of acceptable risk. Of course, leaders know there will always be some risk—it cannot be completely eliminated.”
To learn more about how your organization can prevent cyberattacks and respond to security incidents that occur, join us at one of our many cybersecurity events and educational sessions at HIMSS20.
*Additional registration fee required.
March 9 – 13, 2020 | Orange County Convention Center | Orlando, Florida
The world of health information and technology is evolving—and so is HIMSS. Find out what's next for health and be part of the transformation.