Cybersecurity healthcare survey: 7 takeaways

HIMSS surveyed more than 160 cybersecurity professionals and found some healthcare organizations are spending more to protect their networks, but many are still making modest investments.

Some healthcare organizations are starting to invest more in cybersecurity, but a recent survey shows many are still not putting much money toward it.

The Healthcare Information and Management Systems Society (HIMSS) gathered responses from 167 cybersecurity professionals for its 2021 cybersecurity survey, which was released Jan. 28.

Cybersecurity attacks rose last year, with hundreds of breaches reported at healthcare organizations. Experts expect this year could be even worse. The cost of the typical healthcare breach surpassed $9 million in 2021, according to IBM. Several attacks have already been reported in 2022.

The HIMSS survey offered some interesting takeaways on how healthcare organizations are treating cybersecurity. Here are some highlights.

Modest increases in spending

Most respondents (59%) reported an increase in cybersecurity spending for 2021. Most of the rest (34%) said there was no change, while 6% said spending dropped.

The survey found 40% of participants said 6% or less of their information technology budgets were devoted to cybersecurity.

Roughly 1 in 4 (24%) said their budgets did not have a specific allocation in their budgets for cybersecurity.

Disruption

Perhaps surprisingly, 44% of those responded said their organizations had no significant impact from security incidents.

Of those who reported an impact, the most common cited (32%) was a disruption of business operations, while 26% reported a disturbance in IT operations.

Other impacts cited were data breaches (22%) and monetary loss (17%).

Patient care affected

Roughly 1 in 5 respondents (21%) reported disruptions of services affecting clinical care. Another 4% reported damage or destruction of systems affected clinical care.

Increasingly common

Two out of three respondents (67%) said there were significant security incidents within the previous 12 months, the survey found.

Gone Phishing

The initial point of compromise for security threats is phishing. The survey found 71% of cybersecurity pros said the compromise was introduced by phishing.

Phishing remains by far the dominant security threat cited by cybersecurity professionals. The survey found 45% said phishing was the most significant threat, followed by ransomware (17%). The rest of the top five threats: breach or data leakage (7%), negligent insider activity (5%), and social engineering attack.

Attacks by insiders could be underreported. Some healthcare organizations don’t have strong defenses to prevent insider attacks, the HIMSS report stated.

Targeting financial data

Participants were asked to name the targets of cyberattacks. Financial information was the most common (52%), followed by employee information (43%), patient information (39%), intellectual property (15%) and confidential business information (15%). (Respondents were allowed to identify multiple threats.)

Top challenges

When asked about the top challenges they’re facing, the most common response from cybersecurity professionals was the budget (47%), but staff compliance with security policies wasn’t too far behind (43%). Legacy technology came in third (39%).

More from Chief Healthcare Executive

Cybersecurity and hospitals: looming threats, vulnerabilities and what can be done