Fully 81 percent of healthcare executives say their organizations have been compromised by malware, botnets or cyber attacks at least once in the past two years, according to the findings of the 2015 KPMG Healthcare Cybersecurity Survey [PDF].
The survey of 223 chief information officers, chief technology officers, chief security officers and chief compliance officers at healthcare providers and health plans also found that 13 percent of respondents said they're targeted by external hack attempts about once a day, and another 12 percent are seeing about two or more such attacks a week.
"Healthcare organizations that can effectively track the number of attempts have less cause for worry than those who may not detect all of the threats against their systems," Greg Bell, leader of KPMG's Cyber Practice, said in a statement. "The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect."
The leading information security concerns, according to survey respondents, are malware infecting systems (67 percent), HIPAA violations or other compromise of patient privacy (57 percent), internal vulnerabilities such as employee theft or negligence (40 percent), medical device security (32 percent), and aging IT hardware (31 percent).https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
The areas with the greatest vulnerabilities within the organizations are external attackers (65 percent), sharing data with third parties (48 percent), employee breaches (35 percent), wireless computing (35 percent) and inadequate firewalls (27 percent).
According to the KPMG report, the key sources of increased security threats are as follows:
- The adoption of digital patient records and the automation of clinical systems.
- The use of antiquated EMR and clinical applications that are not designed to securely operate in today's networked environment and software vendors who push that problem to the provider.
- The ease of distributing ePHI both internally (laptops, mobile devices, thumb drives) and externally (third parties, Cloud services).
- The heterogenous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).
- The evolving threat landscape, where cyber attacks today are more sophisticated and well funded given the increased value of the compromised data on the black market.
Sixty-six percent of executives at health plans said they feel prepared for cyber attacks, while 53 percent of executives at healthcare providers felt the same way. Notably, 16 percent of respondents said they're unable to tell in real time if their systems are compromised.
"The vulnerability of patient data at the nation's health plans and approximately 5,000 hospitals is on the rise and healthcare executives are struggling to safeguard patient records," Michael Ebert, leader in KPMG's Healthcare & Life Sciences Cyber Practice, said in a statement.
"Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed," Ebert added. "A key goal for execs is to advance their institutions' protection to create hurdles for hackers."
A separate Ponemon Institute survey recently found that fully 91 percent of healthcare organizations had been breached in the past two years, and that criminal attacks in the healthcare sector are up 125 percent since 2010.