HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Some 166 health information safety experts were surveyed for the 2019 HIMSS Cybersecurity Survey, which was carried out from November to December 2018.

This year’s survey disclosed safety incidents are a universal occurrence in healthcare. Nearly three quarters (74%) of healthcare organizations suffered a significant safety breach in the past 12 months. 22% said they had not suffered a significant safety occurrence in the past year. The figures are in agreement with the 2018 HIMSS Cybersecurity Survey when 21% of respondents stated they had not suffered a significant safety incident.

In 2018, 82% of hospital systems informed a significant safety occurrence, as did nearly two-thirds of non-acute and vendor companies.

The most common actors involved in safety occurrences were online scam artists (28%) and careless insiders (20%). Online scam artists used methods such as phishing, spear phishing, whaling, and business electronic mail compromise to get access to healthcare networks and data. Online scam artists often mimic senior leaders in an organization and make requests for confidential data and fake wire transfers.

Threat actors use a range of methods to gain access to healthcare networks and patient data, even though a high proportion of safety breaches in the past 12 months involved electronic mail. 59% of respondents said electronic mail was a main source of compromise. Human mistake was rated as the main source of compromise by 25% of respondents and was the second main cause of safety occurrences.

HIMSS said it is not astonishing that so many healthcare companies have experienced phishing attacks. Phishing attacks are easy to carry out, they are low-cost, can be highly targeted, and they have a high success rate. Electronic mail accounts contain a trove of confidential information such as financial data, the private and health information of patients, technical data, and business information.

Even though electronic mail is among the most common attack vectors, many healthcare companies are not doing enough to decrease the risk of attacks. The HIMSS Cybersecurity Survey disclosed 18% of healthcare businesses are not carrying out phishing simulations on their workers to reinforce safety consciousness training and recognize weak links.

While electronic mail safety can be improved, there is concern that by making it harder for electronic mail attacks to succeed, healthcare businesses will encourage threat actors to look for substitute methods of compromise. It is therefore important for safety leaders to carefully monitor other possible areas of compromise.

The most common methods that human error leads to the disclosure of patient data is posting patient data on public-facing websites, unintentional data leaks, and simple mistakes.

HIMSS clarified that it is vital to educate key stakeholders on IT best practices and to make sure those practices are adopted. Important safety occurrences caused by insider carelessness were commonly the consequence of lapses in safety practices and procedures.

HIMSS proposes that additional safety consciousness training must be provided to all workers, not just those involved in safety operations and management. People in security teams must also be given additional training on the present and developing threats together with regular training to make sure they know how to handle and mitigate safety threats.

Electronic mail attacks and the constant use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the safety of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, in spite of the safety risks that those legacy systems introduce.

While it is heartening to see that 96% of companies carry out risk assessments, only 37% of respondents said they carry out comprehensive risk assessments. Only 58% assess risks related to their company’s website, 50% assess third-party risks, and just 47% assess risks linked with medical appliances.

HIMSS proposes cybersecurity experts must be empowered to drive change throughout the company. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in reaction to the increasing threat of attacks, healthcare companies are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).