Half of healthcare bodies have no response plan despite regular cyber attacks


Healthcare organizations average about one cyber attack per month, according to a new study, The State of Cybersecurity in Healthcare Organizations in 2016, released by the Ponemon Institute and ESET, a proactive protection specialist.

Almost half (48 percent) of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

"The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security," said Stephen Cobb, senior security researcher at ESET. "The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels.

“A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management."

The study found that exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. On average, organizations have an advanced persistent threat (APT) incident every three months. Hackers are most interested in stealing patient information.

It also found that healthcare organizations worry most about system failures, and that technology poses a greater risk to patient information than employee negligence.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," said Larry Ponemon, chairman and founder of The Ponemon Institute.

"As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies."

Healthcare, Cyber Attack, The State of Cybersecurity in Healthcare Organizations in 2016, Ponemon Institute, ESET, Stephen Cobb, US