LAS VEGAS -- About 76 percent of healthcare leadership admitted their organizations faced a significant security incident in the past year, according to the annual HIMSS cybersecurity survey released this week at HIMSS18.

HIMSS polled 239 healthcare leaders between December 2017 and January 2018.

The report found that of the attacks, 96 percent were caused by an identifiable threat actor. The top three culprits were phishers, negligent insiders and hackers. Email was the primary initial point of entry for 61 percent of these attacks.

Compromised customer networks, guessed passwords, web app attacks, misconfigured cloud or software, human error, compromised company website, and software or hardware pre-loaded with malware caused the remaining attacks.

About 12 percent of respondents were unsure of how hackers accessed their networks.

What’s hopeful is that 68 percent of these breaches were discovered within seven days, while 47 percent were found in 24 hours. As there have been reports within the last year that show months, and sometimes years, for a breach to be discovered, these numbers are a vast improvement.

And about 68 percent of incidents were discovered internally.

The report also found that while the healthcare sector has seen a significant increase in security incidents in the past year, the severity of breaches has diminished year over year. This reflects a serious improvement in cybersecurity for the industry, overall.

The majority of respondents (84 percent) said their organizations have increased resources to address cybersecurity needs.

It’s concerning, however, that 3 percent of respondents saw these resources decreased year over year. And another 3 percent said no funds went to cybersecurity. Not only that, but 27 percent said there was no specific cybersecurity allotment in the budget. Instead, money was spent as needed or could be requested.

However, hospitals have seen a vast improvement in hiring senior information security leadership, as 60 percent of respondents said they hired for the position last year.

It’s a vast improvement from last year’s report by the U.S. Department of Health and Human Services Cybersecurity Task Force, which found three out of four hospitals were operating without a designated security person.

“Healthcare cybersecurity is advancing with some noted improvements,” the HIMSS report authors wrote. “There is always room for growth. But cybersecurity programs cannot advance alone. Indeed, barriers such as lack of cybersecurity personnel and financial resources still persist.”

“Accordingly, healthcare organizations (and their leaders) need to take proactive steps by instilling positive change and making cybersecurity a genuine priority,” they added. “It is only then that we can move forward instead of taking one step forward and two steps back.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com