Healthcare organizations desperately need help from security-minded tech providers.
Last year, the number of attacks on healthcare organizations worldwide increased by more than 210%, according to new figures from McAfee Labs.
Similarly, more than 60% of healthcare executives admit their organizations were attacked by cybercriminals last year. And more than half of those attacks resulted in the loss of patient data. That’s pretty desperate.
Those last 2 figures come from survey results released today by research firm Ponemon Institute and cybersec solutions provider Merlin International. They recently surveyed more than 625 healthcare executives on their cybersecurity practices.
As an industry, healthcare now accounts for nearly 1 in 4 of all cybersecurity breaches committed last year, Ponemon estimates.
These attacks exposed more than 5 million patient records. The most-targeted data types, in order of survey response, were:
> Patient medical records
> Patient billing information
> Log-in credentials
> Passwords and other authentication credentials to systems, servers or applications
> Clinical trial and other research information
Bad, but preventable
This trouble isn’t inevitable. When McAfee dug into the causes of these attacks, it found that many of the incidents could have been prevented.
That’s because the attacks were due not to smarter hackers, but by organizational failure. In many cases, healthcare providers had failed to either comply with security best practices or address known vulnerabilities in their software.
“Our research uncovered classic software failures and security issues,” said Christiaan Beek, a lead scientist at McAfee, “such as hardcoded embedded passwords, remote code execution and unsigned firmware.”
Beek added: “Both healthcare organizations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices.”
Unfortunately, “more vigilant” appears to be exactly what many healthcare organizations are not.
One best practice is to hire a dedicated chief information security officer (CISO). But according to the Ponemon/Merlin survey, only about half of all organizations have done this.
What’s more, when asked whether they have the right cybersecurity qualifications in-house, 60% of the healthcare execs answered No.
It gets worse. Only half the execs said their organizations have any type of incident-response program at all.
“Healthcare organizations must get even more serious about cybersecurity,” said Brian Wells, Merlin’s director of healthcare strategy.
He’s right. Are you ready to help them?