A recent survey of healthcare professionals indicates 78% of healthcare organizations have experienced at least one cybersecurity incident in the past 12 months. 60% of those incidents had a moderate or significant impact on the delivery of care, 15% had a severe impact, and 30% involved sensitive data. Protected Health Information (PHI) was exposed or stolen in 34% of incidents in North America.

The survey was conducted by Pollfish on behalf of the cybersecurity firm Claroty on 1,100 individuals in North and South America, APAC, and Europe. Respondents worked full-time in the health sector in cybersecurity, engineering, IT, or networking. The survey indicates 26% of organizations that experienced a cyberattack paid a ransom to either prevent the release of stolen data or to decrypt encrypted files. The costs of these attacks typically fell in the range of $100,000 to $1 million; however, more than one-third of respondents who experienced a cyberattack said the recovery costs were greater than $1 million. The biggest cost from the attacks in all but the APAC region was operational downtime.

61% of respondents in North America said they were very or moderately concerned about cyberattacks on their systems. The biggest concerns in this region were insider threats (47%), followed by supply chain and privilege escalation attacks (41%), denial of service (DoS) attacks (39%), and ransomware attacks (38%). A majority of organizations (78%) said they have clear leadership in place for medical device security, which is most commonly the responsibility of IT security teams, and cybersecurity programs typically covered sensitive data such as PHI, EHRs, IT systems, endpoints, medical devices, and BMS such as elevators and HVAC equipment. When asked about the security standards, regulations, and guidelines, the NIST and HITRUST Cybersecurity Frameworks were seen as the most important in North America followed by HIPAA and 405(d).

The survey indicates that healthcare organizations have a clear understanding of the aspects of security that need to be improved. The biggest gaps in defenses were cited as medical device vulnerability patching, asset inventory management, and medical device network segmentation. 60% of respondents said their organization’s security posture has improved over the past 12 months and 51% said their security budgets had been increased in the past year; however, efforts to improve cybersecurity were being hampered by the global shortage of cybersecurity professionals. More than 70% of respondents said they were looking to hire additional cybersecurity staff members and 80% said finding qualified candidates was difficult.

“Security challenges in the healthcare sector continue to mount as the number and types of connected assets grow and the attack surface expands. Beyond the financial ramifications organizations in any sector can face in the wake of a successful attack, in healthcare the stakes are raised due to the patient outcomes at risk,” explained Claroty in the report. “With strong security leadership in place, well-rounded security programs implemented, and the adherence to guidelines and frameworks from regulatory bodies, healthcare organizations are on the right track to ensuring cyber and operational resilience. Recognizing there is more work to be done, they are also prioritizing investments in people, processes, and technologies to build resilience further and ensure compliance while delivering uninterrupted, quality care to their patients.”

The post 78% of Healthcare Organizations Suffered a Cyberattack in the Past Year appeared first on HIPAA Journal.