According to the results of a survey released by HIMSS earlier this month, two thirds of health organizations responding recently experienced a significant security incident. According to HIMSS, more than 87% of those surveyed also stated that their organizations have identified cybersecurity as an increased priority over the last year. The results of the 2015 HIMSS Cybersecurity Survey were released at the Privacy and Security Forum held in Chicago June 30–July 1.
“The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats,” said Lisa Gallagher, vice president of technology solutions for HIMSS. “Healthcare organizations need to rapidly adjust their strategies to defend against cyber attacks. This means incorporating threat data, and implementing new tools and sophisticated analysis into their security process.”
The survey generated a number of findings pointing to the increased risk to health systems posed by cybersecurity threats. On average, respondents reported using 11 different technologies to secure their environment. However, the 297 healthcare leaders and information security officers surveyed reported only an average level of confidence in their organizations’ ability to protect data. Those concerns would appear justified: 62% of respondents stated that security incidents have caused limited disruption to IT systems. For 21%, the incidents led to loss of patient, financial, or organizational data, and for 8%, those incidents led to significant disruption and caused damage to IT systems.
In more than half of cases (51%), security incidents were detected by a member of an internal security team. In 50% of cases, an internal staff member who was not affiliated with the security team detected the problem. Only 17% of incidents were identified by an outside resource such as a cybersecurity firm, although 64% of respondents declared that lack of appropriate cybersecurity personnel was a barrier to mitigating cybersecurity events.