HIMSS Cybersecurity Survey Indicates the Human Factor is the Major Vulnerability in Medical Care

HIMSS has shared the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have encountered a minimum of one major security occurrence in the past year, with the most prominent security breaches caused by phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 medical care cybersecurity experts, who were responsible for everyday cybersecurity operations or oversight.

The surveyed IT specialists were inquired about the major security breaches they had suffered in the past 12 months, and in 45% of incidents it was a phishing attack, and 57% of survey participants mentioned the most significant breach concerned phishing. Phishing attacks are most often carried out by email. 71% of the major security incidents are email-related phishing attacks; nonetheless, 27% stated there was a considerable voice phishing incident (vishing), 21% reported they had substantial SMS phishing incident (smishing), and 16% claimed there was a substantial social media phishing incident.

Phishing was the most prevalent first point of compromise, accounting for 71% of the major security breaches. Following are social engineering attacks at 15%. Human error is usually the reason behind major data breaches, making up 19% of the big security breaches, with 15% a result of the extended use of legacy software for which support is no longer given. The survey additionally showed standard security controls were not totally implemented at a lot of businesses.

Ransomware attacks still affect the healthcare industry, and the attacks usually bring about major trouble and have substantial mitigation costs. 17% of respondents stated the biggest security incident they encountered was a ransomware attack. 7% of survey participants claimed negligent insider activity triggered the major security incident, though HIMSS states that medical companies typically do not have strong defenses against insider breaches, thus it is probable that these sorts of breaches were underreported.

Taking into consideration the degree to which phishing results in account breaches or serious cyberattacks, it is crucial for healthcare institutions to use effective email security measures to stop phishing emails and to furthermore invest in security awareness training for the employees. Not only one security solution can prohibit all phishing attacks, therefore it is important for the labor force to acquire training on how to determine phishing and social engineering attacks. Educating employees on security best practices can help to lessen human error which commonly causes data breaches.

The prolonged usage of legacy programs when it is the end-of-life can be a concern in medical care, nevertheless, plans must be made to update out-of-date systems, and if that is not achievable, mitigations must be applied to make exploiting vulnerabilities harder, like separating legacy programs and not exposing them online.

44% of survey respondents mentioned their most critical breach had no minimal effect; nevertheless, 32% stated security breaches prompted interruption to systems that impacted business functions, 26% explained security breaches disturbed IT systems, and 22% reported security breaches triggered data breaches or data loss. 21% stated the security breaches had affected clinical care, and 17% stated the most critical security incident led to financial loss.

Regardless of the risk of cyberattacks, finances for cybersecurity budgets continue to be slim. 40% of surveyed IT experts mentioned 6% or less of their IT budget was dedicated to cybersecurity, which is the same proportion as the last four years although the risk of attacks has gone up. 40% of survey participants stated they either had funds that did not change since last year or had lessened, and 35% mentioned their cybersecurity fund is not predicted to alter.

The HIMSS survey asked respondents to know about the biggest security problems, which for 47% of participants was not enough budget. Employees’ compliance with guidelines and procedures was a serious problem for 43% of respondents, the prolonged use of legacy software programs was a concern for 39% of participants, and 34% reported they had problems with patch and vulnerability management.

Personnel making mistakes, identity and access management, device management, developing a cybersecurity culture, information leaks, and shadow IT were likewise regarded as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey indicate that healthcare companies still have considerable problems to overcome. These limitations to progress involve restricted security budgets, increasing legacy footprints, and the expanding volume of cyber-attacks and compromises. In addition, fundamental security controls were not completely enforced by a lot of organizations. Most likely, the major weakness is the human factor. Medical providers ought to do more to help healthcare cybersecurity specialists and their cybersecurity plans.