HIMSS Cybersecurity Survey 2019: Disturbing Patterns Emerge Alongside Promise

Published On January 28, 2020

If you’ve managed to sit down with the first episodes of the newest entrant into the Star Wars universe, The Mandalorian, you’ve witnessed a blend of fresh takes on familiar heroes, even as old threats (in the form of storm troopers and scavenging Jawas) play a central role.

The emerging era of healthcare cybersecurity emerges in a similar environment, and the latest HIMSS cybersecurity survey provides an excellent overview of the challenges and solutions industry professionals want to stay on top of.

The Survey

The Healthcare Information and Management Systems Society (HIMSS) surveyed 166 cybersecurity professionals, all of whom had oversight responsibilities or were involved in the day-to-day operations of their organization’s cybersecurity program. This means that the results are potentially skewed toward professionals with a degree of concern about cybersecurity challenges in their work.

The Phishing Menace

Healthcare cybersecurity threats are far from randomized. While incidents impact organizations across the spectrum, a few disturbing trends have emerged over time. One of the most telling is that security incidents are now to be expected.

In the HIMSS survey, only 22% of respondents reported not experiencing a “significant security incident” in the last 12 months. The cause of these incidents point back to two primary threat actors: online scam artists (28%) and negligent insiders (20%). These results point to specific opportunities to improve security results through education and improvements in practices and protocols.

Initiation Points and Discovery

On the vulnerability front, email still stands out as the most common initiation point of compromise at 59%, but it’s worth noting that human error takes up 25% of the share itself. Table 4 in the report offers insight into the breakdown of bad actors (including hackers, social engineers and malicious insiders) and benign actors like vendors and researchers.

The report also calls out the role of internal resources in discovering significant security incidents. Internal security teams and personnel lead in this area, highlighting additional preventive opportunities in education and training of these roles.

A New Hope (Maybe)

While the industry does seem to be settling deeper into the pits of cybersecurity risks, new potential is emerging.

The survey revealed that across the board, cybersecurity pros are feeling empowered in their ability to drive change in their organization — 59% indicated they agree at some level with this feeling. At the same time, 41% of respondents did not feel similarly empowered.

Overall, healthcare organizations are starting to put their money where the risk management is. HIMSS’ 2019 cybersecurity survey revealed that while allocation fell across a range of percentages, about 46% had 3% or more of their budget dedicated to cybersecurity, and 72% indicated their budgets had increased by 5% or more or held their current levels.

And the money is being well invested. Thirty-seven percent of survey respondents said their home organization conducts comprehensive, end-to-end risk assessments — a significant jump over the 26% in 2018.

The Rise of Complacency

Worried that your security practices might end up roasted like a Kowakian monkey lizard? You should spend some time analyzing this section of the report.

With all the positives that are happening in healthcare organizations, a few “early warning signals” are starting to emerge. Namely, the fact that the most challenging factor named by respondents was “too many emerging and new threats,” but that same factor only ranked as “somewhat of a challenge.”

Does this mean that, despite all the investments and optimism, security professionals are asleep at the wheel? Not likely, but it shows there is a need for more momentum in addressing barriers like the lack of qualified personnel and needing more financial resources.

HIMSS proposes some straightforward measures to help make progress:

• updating written policies and procedures

• reviewing options for enforcing policies (i.e., coordination with IT, HR and legal departments)

• reconsidering the effectiveness of policies and procedures that aren’t necessarily enforceable

Revenge of the Gaps

Complacency has consequences, and the current HIMSS cybersecurity report suggests that the most likely is glaring gaps in healthcare cybersecurity practices.

Remember how email and phishing kept popping up in the discussion around cybersecurity threats and vulnerabilities? Well, 18% of survey respondents indicated their organization did not conduct phishing tests — an unfortunate trend that appears to be more common in non-acute care organizations (36%).

Another, possibly more concerning gap was the ubiquitous legacy (unsupported) system. Almost 70% of respondents indicated they had at least some legacy system in place, and 15% stated that over 10% of their systems fell into the legacy OS bucket. Here’s a breakdown:

• Windows server (48%)

• Windows XP (35%)

• Embedded legacy OS in medical devices (33%)

• Embedded legacy OS in industrial control systems (e.g., HVAC) (20%)

So, what does this all mean? For individual healthcare professionals, it means that regardless of larger trends, understanding the specific risks and opportunities in your organization will be critical to encouraging transformation and nurturing your career as a healthcare cybersecurity professional.

If you plan on attending HIMSS 2020, consider attending some of the cybersecurity sessions throughout the week, especially those that align with the goals and threats at your organization.