HIMSS Cybersecurity Survey Reveals the Human Factor is the Biggest Vulnerability in Healthcare

HIMSS has released the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have had at least one significant security event in the past 12 months, with the biggest security breaches the consequence of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 healthcare cybersecurity specialists, who had at least some accountability for daily cybersecurity operations or oversight.

The surveyed IT experts were questioned concerning the major security breaches they had encountered in the last 12 months, and in 45% of instances it was a phishing attack, and 57% of survey participants stated the most significant breach involved phishing. Phishing attacks are most frequently carried out through email. 71% of the most significant security incidents are email-based phishing attacks; nonetheless, 27% mentioned there was a significant voice phishing incident (vishing), 21% stated they had many SMS phishing incidents (smishing), and 16% mentioned there were many social media phishing incidents.

Phishing was the most frequent preliminary point of compromise, accounting for 71% of the most critical security breaches. Next are social engineering attacks at 15%. Human error is often the reason for critical data breaches, making up 19% of the major security breaches, with 15% due to the extended use of legacy software for which support is not provided anymore. The survey additionally showed fundamental security controls were not completely implemented at many companies.

Ransomware attacks continue to trouble the medical care sector, and the attacks frequently result in major disruption and have huge mitigation costs. 17% of respondents reported the most critical security incident they experienced was a ransomware attack. 7% of survey participants stated negligent insider activity brought about the greatest security incident, although HIMSS remarks that healthcare firms frequently do not have strong defenses against insider breaches, thus it is likely that these kinds of breaches were underreported.

Considering the extent to which phishing results in account exposures or serious cyberattacks, it is essential for healthcare companies to employ effective email security measures to stop phishing emails and to additionally invest in security awareness training for the employees. Not just one security solution can prohibit all phishing attacks, therefore it is essential for the labor force to get training on how to recognize phishing and social engineering attacks. Training employees in security best practices can help to minimize human error which often causes data breaches.

The prolonged use of legacy systems once it’s the end-of-life can be a problem in healthcare, however, plans must be made to upgrade obsolete programs, and if that is not possible, mitigations ought to be used to make exploitation of vulnerabilities more difficult, for instance isolating legacy systems and not exposing them to the web.

44% of survey respondents stated their biggest breach had no negligible impact; nevertheless, 32% mentioned security breaches resulted in disruption to systems that impacted business functions, 26% said security breaches interrupted IT systems, and 22% reported security breaches led to data breaches or data leakage. 21% stated the security breaches had affected clinical care, and 17% mentioned the most critical security incident ended in financial loss.

In spite of the risk of cyberattacks, funds for cybersecurity budgets stay slim. 40% of surveyed IT specialists stated 6% or less of their IT budget was spent on cybersecurity, which is the same percent as the last four years even if the risk of attacks has grown. 40% of survey participants mentioned they either had funding that has not changed since last year or had diminished, and 35% stated their cybersecurity funding is not expected to change.

The HIMSS survey questioned respondents to learn about the biggest security problems, which for 47% of participants was inadequate budget. Staff compliance with policies and procedures was a big obstacle for 43% of respondents, the continuing use of legacy software programs was a problem for 39% of participants, and 34% stated they had trouble with patch and vulnerability management.

Workers making errors, identity and access management, device management, building a cybersecurity culture, data leaks, and shadow IT were likewise considered as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey show that healthcare providers still have substantial difficulties to overcome. These obstacles to progress include limited security budgets, growing legacy footprints, and the increasing volume of cyber-attacks and compromises. Furthermore, standard security controls were not fully enforced at numerous organizations. Maybe the major vulnerability is the human factor. Healthcare companies ought to do more to support healthcare cybersecurity experts and their cybersecurity programs.