New Ponemon Study: Cyber Onslaught Threatens to Overwhelm Healthcare Sector

Next story

ESET Researcher Stephen Cobb to Share Survey Results at HIMSS16

ESET®, a global pioneer in proactive protection for more than two decades, and the Ponemon Institute, a privacy and information management research firm, today announced results of The State of Cybersecurity in Healthcare Organizations in 2016 (February 2016). According to the study, healthcare organizations average about one cyber attack per month. Almost half (48 percent) of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

“The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security," said Stephen Cobb, senior security researcher at ESET. "The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management."

Key findings of the survey:

  • Exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.
  • On average, organizations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. Sixty-three percent said the primary consequences of APTs and zero-day attacks were IT downtime followed by the inability to provide services (46 percent of respondents), which create serious risks for patient treatment.
  • Hackers are most interested in stealing patient information. The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81 percent of respondents.
  • Healthcare organizations worry most about system failures. Seventy-nine percent of respondents said that system failures are one of the top three threats facing their organizations. This is followed by cyber attackers (77 percent) and unsecure medical devices (77 percent).
  • Technology poses a greater risk to patient information than employee negligence. The majority (52 percent) of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information. Respondents also expressed concern about the impact of employee negligence (46 percent) and the ineffectiveness of HIPAA-mandated business associate agreements designed to ensure patient information security (45 percent).
  • DDoS attacks have cost organizations on average $1.32 million in the past 12 months.

Thirty-seven percent of respondents say their organization experienced a DDoS attack that
caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

  • Healthcare organizations need a healthy dose of investment in technologies. On average,

healthcare organizations represented in this research spend $23 million annually on IT;
12 percent on average is allocated to information security. Since an average of $1.3 million is
spent annually for DDoS attacks alone, a business case can be made to increase
technology investments to reduce the frequency of successful attacks.

"Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies.”

Read more insights from Stephen Cobb and learn more of the survey’s findings in this post:
New Ponemon Study: With Cybercrime Still on the Rise, It’s Time to Take Action.

The State of Cybersecurity in Healthcare Organizations in 2016 surveyed 535 IT and IT security practitioners in small- to medium-sized healthcare organizations in the U.S. Sixty-four percent of respondents are employed by HIPAA covered entities, 36 percent by business associates of covered entities. Eighty-eight percent of organizations represented in this study have 100-500 employees.

About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards.

About ESET:
Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedIn, Facebook and Twitter.