I recently had a conversation with the head of security for a major healthcare organization in the Southwestern United States as our staff prepared the current issue of the magazine. We had provided for the mandatory physical security elements in the health section; however, I have been told that we are neglecting a key component of hospital risk mitigation: cybersecurity. We certainly realized that the threat vectors and frequency of cyber incidents in the healthcare sector were serious, but a research paper just published underscores just how serious it is.
The Healthcare Information and Management Systems Society (HIMSS) 2021 Cybersecurity Survey provides insight into the state of healthcare cybersecurity based on feedback from 167 healthcare cybersecurity professionals, including the myriad of challenges these organizations face due to tight budgets, aging infrastructure, and an increase in social media. engineering and ransomware attacks. It’s a stunning revelation.
In this survey, 67% of respondents indicated that their healthcare organizations had experienced significant security incidents in 2021. “The severity level of the most significant security incident over the past 12 months has generally been medium ( 35%) or high (32%). but some were characterized as critical (12%) or low (20%). Respondents rated the level of severity based on their own criteria, including perceived impact on organization.”
The survey found that phishing attacks in healthcare facilities were the most significant security incident, with 45% of respondents citing it above ransomware (17%). The report states, “Ransomware and phishing attacks often make headlines when healthcare organizations experience a significant cyberattack. However, healthcare organizations may be looking for phishing and ransomware attacks more than other types of high-profile security incidents.
Phishing is particularly insidious in a healthcare environment, especially during a hectic pandemic scenario, due to tired and stressed staff, constant turnover of new hires, and a simple lack of training. during chaotic shifts. A majority of respondents (57%) indicated that the most significant security incident usually involved phishing. Specifically, the types of phishing reported included: general email phishing (71% of respondents), spear phishing (67%), voice phishing/vishing (27%), whaling (27%), compromise of work emails (23%), SMS phishing (21%), phishing websites (20%) and social media phishing (16%).
“Even with these alarming numbers for both attack growth and attack effectiveness, security budgets are stuck at the same percentage of IT spending. This of course encourages these companies to make better use of the resources at their disposal to identify and mitigate these attacks. Given that the vast majority of attacks are identity-based attacks (email, voice and SMS phishing) – it is imperative that companies both periodically and dynamically monitor their accounts – especially privileged accounts to changes in behaviors and entitlements,” says Garret Grajek, CEO of YouAttest, a cloud-based access review engine.
The 2021 survey also found that hospital financial information (52%), employee information (43%) and patient information (39%) were top targets for threat actors. The most disheartening news for hospital administrators is that 24% of respondents said their cybersecurity budgets had no specific reserve, while 40% said 6% or less of the IT budget information were allocated to cybersecurity.
It’s a concern for Nasser Fattah, chair of the North American Steering Committee for Shared Assessments, which is a member-driven organization that provides safe and resilient third-party partnerships, who admits that its users are the first line of defense. of the sector.
“Through appropriate ongoing security awareness training, we can equip our users to become our human firewalls to further defend against social engineering, including phishing, which continues to be the approach of choice for bad actors because of its success,” he said. said. “Here, security awareness is essential, continuous and not ad hoc, because it must be adapted in the language best understood by our users, small digestible briefings to better focus, personalized so that users can also using training to protect yourself and your loved ones, and simple steps to take to defend yourself, to name a few.Finally, it is important to understand what success looks like with an effective drug awareness program. safety, and then introduce metrics to measure that success.