Cybersecurity in Healthcare Ails From Lack of IT Talent

Shaun Sutner

Healthcare cybersecurity woes continue unabated, with more frequent cyber attacks amid a lack of IT talent and employee awareness, but organizations are spending more on security.

Cyber attacks on healthcare organizations have been increasing, reaching an average of 16 a year, up from 11 three years ago, according to "The State of Cybersecurity in Healthcare Organizations in 2018," conducted by Ponemon and commissioned by cybersecurity vendor Merlin International.

Those intrusions, and the breaches they cause, are costing organizations $4 million per successful cyberattack, the survey of 627 health IT and security professionals found.

The survey -- which covers 2017 and compares findings from that year to those from a similar Ponemon survey covering 2015 -- also revealed that 51% of organizations sustained a loss or exposure of patient data, compared to 48% in 2015.

Meanwhile, employees in nearly half of organizations are still poorly trained or ill prepared to follow best practices for cybersecurity in healthcare, according to the survey.

Shortage of cybersecurity IT staff

Brian Wells, chief technology officer at Merlin International, said a healthcare cybersecurity IT shortage is probably due to many hospitals' inability to meet the pay rates of the financial services sector, which is generally protected by considerably more robust cybersecurity than healthcare.

Some 79% of the respondents said they find it difficult to recruit security personnel, and 74% said they don't have enough staff.

"The big hospitals are probably OK with attracting people and paying for the software and technology, but the smaller ones just aren't," Wells said.

Some good news, but mostly bad

There's a lot of bad news. One of the biggest things is that employee awareness and attentiveness to security is still an issue.

While threats to cybersecurity in healthcare have been increasing, providers and other organizations in 2017 were allocating more money to security. They spent an average of $30 million annually, up from $23 million in 2015.

Wells said the survey revealed both good news and bad -- mostly bad.

"There's a lot of bad news. One of the biggest things is that employee awareness and attentiveness to security is still an issue," Wells said. "Forty-six percent aren't really addressing that at all, which is surprising because it's a relatively inexpensive thing to do and it's pretty effective."

Also, fewer than a fifth of the organizations whose employees were surveyed do internal testing for phishing, one of the most common ways hackers can introduce malware into an organization, Wells noted.

"The good news is the investing [in cybersecurity] is going up, but I don't think it's enough," Wells said.

Meaningful use for cybersecurity?

Wells said the need for better cybersecurity in healthcare could be addressed in a similar way to how the healthcare industry moved to electronic health records, spurred by the government's incentive program.

He said a similar publicly funded effort would help providers, especially smaller hospitals, buttress cybersecurity.

More than a third of the respondents said their organizations have been hit by ransomware attacks, according to Ponemon. The group's last healthcare cybersecurity report, published in 2016, did not include ransomware, which had not become as common as it is today.

Top six threats of cybersecurity in healthcare

The top six threats to cybersecurity in healthcare, according to the 2018 Merlin-Ponemon healthcare cybersecurity report are:

  • employee negligence or error;
  • cyberattackers;
  • third-party misuse of patient data;
  • process failures;
  • system failures; and
  • insecure mobile apps.

Top weaknesses

Key cybersecurity problems noted in the Ponemon survey include:

  • Shortage of in-house IT expertise and leadership, including many organizations lacking chief security officers (CSOs)
  • Cyber-insecurity caused by the transition from legacy to cloud systems, and hybrid legacy-cloud systems
  • Attackers increasingly evading intrusion and advanced persistent threatdetection systems
  • Disruption of healthcare delivery and data system downtime due to denial-of-service attacks

In addition, the Ponemon research found that 43% of organizations don't have a CSO.

One increasingly recognized vulnerability of cybersecurity in healthcare is porous medical devices, with 59% reporting that security of medical devices is not part of their overall health IT security strategy.

High-performers keep hackers away more

On the positive side, Ponemon's special analysis of 59 respondents from high-performing organizations showed that they have been able to reduce, though not eliminate, cyberattacks.

These providers and other high-performing cybersecurity healthcare entities are more likely to have an incident response plan and a coherent strategy for securing connected medical devices.

They are also better at educating and training employees about cyber-risks and at ensuring that third-party contracts ensure the safety of HIPAA-protected health data.

But negative and surprising findings predominate in the survey, including the insight that half the respondents said they thought cloud and other newer technologies are risky, while the other half had the same misgivings about on-premises legacy infrastructures.

"So, they're kind of trapped in between," Wells said. "They don't trust what they have, and they don't trust the future."