Hospitals, Health IT

Phishing attacks most common cybersecurity incident at US healthcare organizations

A survey of healthcare cybersecurity professionals by HIMSS details the most common types of cyber attacks, its impact on patient care as well as solutions hospitals and health systems have implemented to prevent falling prey to this type of criminal activity.

More than half of healthcare cybersecurity professionals said that their organization has experienced a phishing attack in the last year, making it the most common type of cybersecurity incident in healthcare, according to new survey from the Healthcare Information and Management Systems Society.

Cybersecurity has become a key issue for the U.S. healthcare system. Just last month, the Federal Bureau of Investigation, along with the Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services, released an advisory warning of an “imminent and increased cybercrime threat” to healthcare providers.

sponsored content

A Deep-dive Into Specialty Pharma

A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.

The new survey from HIMSS polled 168 U.S.-based healthcare cybersecurity professionals, of which 55% worked at a provider organization. The survey was conducted from March to September.

Survey results show that the top five types of cybersecurity incidents healthcare organizations experienced in the past year are:

  • Phishing attacks (57%)
  • Credential harvesting attacks (21%)
  • Social engineering attacks other than phishing (20%)
  • Ransomware or other malware (20%)
  • Theft or loss (16%)

About 28% of respondents said that the cybersecurity incidents disrupted information technology operations, while 27% said it disrupted business operations and 20% percent reported that the incidents resulted in a monetary loss, such as wire fraud or extortion.

The cybersecurity incidents also had an impact on patient care, the survey shows. Approximately 61% said that the incidents disrupted non-emergency clinical care, and 28% said it interrupted emergency services. About 17% said the incidents led to serious patient harm. Most respondents (61%) said they do not feel that their organization has effective mechanisms in place to discover patient safety issues that may result from cybersecurity incidents.

Healthcare organizations’ reliance on internal resources to prevent these incidents has also grown. A vast majority of the respondents (75%) said their organizations learned of cybersecurity incidents from internal security teams, up from 46% of respondents who said the same in a 2019 HIMSS survey.

Following a cyberattack, most respondents (75%) said their organization adopted new or improved security measures, while 67% said they drafted, revised and/or tested policies, procedures and documentation. About 65% said their organization conducted a vulnerability scan.

Though most organizations have implemented antivirus/anti-malware solutions (91%) and firewalls (89%) to prevent cybersecurity incidents, they are lagging with regard to other safeguards. Only 64% of respondents reported that their organizations have installed multi-factor authentication. Though this figure has increased significantly from 37% in HIMSS’ 2015 survey, it still leaves more than a third of organizations without multi-factor authentication — a key strategy for protecting against security breaches.

“Healthcare organizations need to make cybersecurity a fiscal, technical, and operational priority,” the report states. “Upgrading or replacing legacy systems, conducting end-to-end security risk assessments, enhancing cybersecurity awareness and training programs, and increasing cybersecurity budgets are a few, proactive steps that can be taken.”

Photo credit: HYWARDS, Getty Images