- The complexity of the healthcare network infrastructure is a barrier to remediation and mitigation of security incidents, according to 166 health information security professionals surveyed for the 2019 HIMSS Cybersecurity Survey.
Respondents were asked to rate various barriers to remediation and mitigation of security incidents, on a scale of 1 (no challenge) to 5 (extreme challenge). On the complexity of the healthcare network infrastructure, respondents gave it an average score of 2.42.
Other barriers that are of greater concern include too many emerging and new threats (3.13), lack of personnel with appropriate cybersecurity knowledge and expertise (3.12), lack of financial resources (2.89), too many application vulnerabilities (2.83), too many endpoints (2.80), lack of security awareness training (2.63), lack of information sharing of threats, mitigation, and know-how with external parties (2.43).
Barriers of lesser concern than their network infrastructure complexity are lack of organizational will (2.37) and too many users for timely and effective provisioning and deprovisioning of accounts (2.33).
The survey also found that there are key gaps in healthcare cybersecurity, such as a lack of phishing tests at certain organizations and the widespread use of unsupported legacy systems that could be more vulnerable to cyberattacks.
Eighteen percent of respondents said their organization did not conduct phishing test, even though phishing attacks are the most common way for healthcare organizations to be breached.
“The percentage of organizations not conducting phishing tests is disconcerting … It is incredible that any organization in this environment would not be testing a known vulnerability,” the report explained.
In fact, more than two-thirds of respondents said they had at least some legacy systems at their organization. Fourteen percent said that more than 10 percent of their organization’s systems would qualify as legacy systems.
Legacy systems include not just unsupported Windows Server and Windows computer operating system (OS) software, but also embedded OS in medical devices and industrial control systems, legacy Linux, VMS, Unix, and DOS systems.
“Operating systems that have been unsupported for five, ten, or more years (decades in some cases) greatly increases a healthcare organization’s risk of being compromised. This is particularly significant in light of recent international cyber-attacks such as WannaCry and NotPetya,” the report observed.
Three-quarters of respondents said they had experienced a serious security incident in the past 12 months.
Forty-eight percent of respondents identified two main threat actors: online scam artists (28 percent) and negligent insiders (20 percent). In terms of bad actors, hackers were identified by 11 percent of respondents as main threat actors, social engineers, 6 percent, malicious insiders, 6 percent, nation state actors, 3 percent, and hacktivists, 2 percent. Regarding benign actors, vendors or consultants were identified by 4 percent of respondents, third-party partners, 4 percent, and researchers, 3 percent.
Fifty-nine percent of respondents identified phishing emails as the cause of a security compromise, while 25 percent identified human error as the cause, 10 percent identified third-party compromise as the source, 8 percent identified hardware or software, 7 percent identified a mobile device, 5 percent said a website or webserver was the source, 5 percent said a remote access server, 5 percent said a medical device, 5 percent said a third-party website, and 2 percent said a cloud provider.
“That e-mail (e.g., phishing email) continues to be the most frequently reported initial point of compromise is not surprising as phishing e-mails are inexpensive to generate and can be quite accurate in targeting recipients,” the report observed.
At the same time, cybersecurity allocations are making up a larger percentage of IT budgets for some healthcare organizations. Thirty-eight percent of respondents said their cybersecurity budgets increased by 5 percent or more compared to last year.
“Leadership at healthcare organizations seem to be giving cybersecurity a higher priority and dedicating more financial resources to support their security programs,” the report observed.