When it comes to cybersecurity, healthcare organizations are most concerned about social engineering, data theft and internal threats. And they perceive ransomware and malware as the top ways that cyber criminals are exploiting their weaknesses.
Those are among the findings of a new survey of nearly 200 members of the Association for Executives in Healthcare Information Security and College of Healthcare Information Management Executives.
In the survey, the top-ranked potential security vulnerabilities that worry AEHIS and CHIME members are data exposure, security misconfiguration and poor authentication/session management. However, they indicated that the most common security threats to their organizations are social engineering, insider threats and the Internet of Things.
Asked how their organizations would perform if systems or data were compromised by a targeted attack compared with a year ago, survey respondents said they are now better prepared for a security incident by having systems in place. In addition, they contend that their capabilities for discovering a security incident and recovering from it are currently better compared with a year ago.
Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, says there were no surprises in the results of the survey and that they were exactly what he would have expected.
CHIME Vice President for Federal Affairs Mari Savickis presented the survey findings this week to the Department of Health and Human Services’ Cybersecurity Task Force, mandated by Congress to develop recommendations to counter the healthcare industry’s growing cyber threats putting patient information at risk.
While healthcare organizations said they need greater assistance from federal agencies to improve information sharing and threat assessments, almost 65 percent of survey respondents indicated that they were somewhat confident or not confident at all that federal legislators understand the importance of cybersecurity enough to support key information security initiatives.
Nonetheless, they want lawmakers to adopt incentives that will encourage greater information sharing, including shielding organizations that voluntarily work to improve security across the delivery system from government audits.