5 min read

HIMSS healthcare cybersecurity survey

Picture of Farah Amod Farah Amod Oct 11, 2024 9:30:00 AM

Cybersecurity
HIMSS healthcare cybersecurity survey

The Healthcare Information and Management Systems Society (HIMSS) conducted its annual healthcare cybersecurity survey, showing the current state of cybersecurity in the industry and the challenges that organizations face. This report offers a valuable glimpse into the priorities, strategies, and future directions of healthcare cybersecurity, providing a roadmap for healthcare providers, vendors, and policymakers to enhance their security posture and protect their most valuable assets.

 

Workforce challenges

One of the most pressing issues identified in the HIMSS survey is the ongoing challenge of hiring and retaining qualified cybersecurity professionals. The healthcare sector, like many other industries, is struggling with a shortage of skilled cybersecurity talent, with 74.16% of respondents citing recruitment as a major hurdle. Factors contributing to this challenge include a lack of relevant experience or skills among candidates, insufficient budgets to offer competitive compensation, and the unique complexities of the healthcare environment, which requires specialized knowledge and expertise.

Retention of qualified cybersecurity personnel also emerged as a concern, with 57.32% of respondents indicating that it is a challenge. Reasons for this include a lack of professional growth opportunities, inadequate executive support, and concerns about job security in the event of a breach. To address these workforce challenges, healthcare organizations must prioritize strategies to attract, develop, and retain top cybersecurity talent, such as offering competitive compensation, fostering a supportive work environment, and providing ongoing training and development opportunities.

 

Cybersecurity budgets

The HIMSS survey revealed encouraging trends in cybersecurity budgets. Compared to previous years, more healthcare organizations are allocating greater financial resources to their cybersecurity programs, with 55.31% of respondents reporting an increase in their budgets. Positive momentum is further supported by expectations that budgets will continue to rise, as 57.54% of respondents anticipate an increase in 2024.

Survey data also indicates that healthcare organizations are now spending, on average, at least 7% or more of their overall IT budget on cybersecurity, a notable increase from historical trends. The allocation of resources reflects the growing recognition of the need for strong cybersecurity measures to safeguard patient data, medical devices, and the overall integrity of healthcare systems.

Read more: Managing your healthcare IT cybersecurity budget in 2023 

 

Incident detection and response

Effective incident detection and response are beneficial components of a cybersecurity strategy. The HIMSS survey delved into the timeliness of incident detection, with nearly half of respondents (49.35%) indicating that their organizations were able to detect their security incidents within one week or less. This rapid detection capability is a testament to the heightened focus on security monitoring and threat intelligence within the healthcare sector.

The survey also revealed that phishing remains a common initial point of compromise, with 58.52% of respondents identifying general email phishing as the entry point for their organization's most severe security incident. Addressing this issue requires continuous security awareness training and the implementation of advanced anti-phishing technologies to counteract this persistent threat.

Read also: Developing a HIPAA compliant incident response plan for data breaches 

 

Ransomware

The HIMSS survey explored the current state and future outlook of ransomware attacks on the healthcare industry. While a majority of respondents (75.55%) reported that their organizations did not experience a ransomware attack in the past year, the threat remains, with 11.79% of organizations falling victim to these malicious incursions.

The survey also discussed the nature of ransomware, with respondents identifying various active strains, including LockBit, Cl0p, Blackbyte, and Quantum. Additionally, a concerning trend emerged, with 25.93% of organizations that experienced a ransomware attack opting to pay the ransom, potentially fueling further criminal activity.

Looking ahead, the survey respondents anticipate that ransomware attacks will continue to adapt and increase in frequency, necessitating a proactive and resilient approach to cybersecurity. Healthcare organizations must stay vigilant, implement backup and recovery strategies, and collaborate with law enforcement and cybersecurity experts to combat this persistent threat.

In the news: Global law enforcement attempts takedown of LockBit ransom group 

 

Artificial intelligence

The 2023 HIMSS survey discussed the emerging technology of artificial intelligence (AI) in healthcare, particularly using generative AI (GenAI) technologies like ChatGPT. The findings reveal a mixed response, with 49.78% of respondents indicating that their organizations allow using GenAI, while 34.50% do not.

However, the survey also uncovered a concerning gap in governance, with only 40.71% of respondents whose organizations allow GenAI to have an acceptable use policy in place. Similarly, less than half (43.36%) reported having an approval process for the use of GenAI, and a majority (51.53%) are not actively monitoring its usage within their organizations.

This lack of governance and oversight raises concerns, as the use of GenAI in healthcare can pose risks related to data privacy, intellectual property theft, and patient safety. Healthcare organizations must prioritize the development of policies, approval processes, and monitoring mechanisms to ensure the responsible and secure deployment of AI technologies, balancing the potential benefits with the inherent risks.

Related: A quick guide to using ChatGPT in a HIPAA compliant way 

 

Board of directors oversight

The HIMSS survey stated how imperative the board of directors' oversight is in shaping the cybersecurity of healthcare organizations. A majority of respondents (61.57%) indicated that their boards have direct oversight of cybersecurity risks, proving the growing recognition of the strategic necessity of cybersecurity at the highest levels of leadership.

However, the survey also revealed that only 67.69% of respondents' organizations regularly brief their boards on cybersecurity risks. Effective governance requires regular, transparent communication between cybersecurity professionals and board members, ensuring that decision-makers are equipped with the necessary information to make informed, risk-based decisions.

As regulatory scrutiny and public accountability around cybersecurity continue to intensify, healthcare organizations must prioritize strengthening the board's oversight and involvement in cybersecurity strategy, implementation, and incident response. This holistic approach to governance will be instrumental in fostering a culture of security and resilience within the healthcare industry.

 

Embracing the NIST cybersecurity framework

The NIST Cybersecurity Framework has emerged as a widely recognized and adopted standard for improving infrastructure cybersecurity, and the healthcare sector is no exception. The HIMSS survey revealed that slightly more than half of respondents (51.53%) plan to adopt the latest version of the framework, NIST Cybersecurity Framework Version 2.0 (CSF 2.0).

CSF 2.0 introduces a new core function, "Govern," which establishes clear governance structures, policies, and processes to effectively manage cybersecurity risk. The framework's guidance, implementation examples, and community profiles provide healthcare organizations with a roadmap for enhancing their cybersecurity posture and aligning their efforts with industry best practices.

 

Cybersecurity performance goals

In addition to the NIST Cybersecurity Framework, the HIMSS survey pointed out the emergence of the Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) developed by the U.S. Department of Health and Human Services (HHS). These voluntary goals, aligned with the NIST framework, provide a set of enhanced cybersecurity measures tailored specifically for the healthcare and public health sectors.

The HPH CPGs address areas such as vulnerability mitigation, phishing defense, multifactor authentication, incident response planning, and third-party risk management. Adopting these goals helps healthcare organizations enhance their overall cybersecurity preparedness and resilience, better positioning them to withstand and respond to any threat.

The HIMSS survey results indicate that the implementation of the HPH CPGs, in conjunction with the NIST Cybersecurity Framework, can serve as a powerful framework for healthcare organizations to assess their current security posture, prioritize their cybersecurity initiatives, and measure their progress toward becoming more cyber-resilient.

 

How Paubox can strengthen an organization’s cybersecurity

Paubox Email Suite is a solution to ensure all employees send HIPAA compliant emails by default. It uses TLS 1.2 and TLS 1.3 encryption. The premium plan also has email data loss prevention (DLP). This feature stops employees from sending sensitive information to people outside of their network. Paubox is dedicated to ensuring the highest level of cybersecurity for healthcare providers, with all their products HITRUST CSF certified. 

 

FAQs

What is cybersecurity and how does it relate to healthcare security? 

Cybersecurity involves protecting computer systems, networks, and data from digital attacks, unauthorized access, and damage. In healthcare, it is necessary to safeguard protected health information (PHI) and electronic protected health information (ePHI). Effective measures help keep sensitive patient data confidential, secure, and compliant with HIPAA regulations.

 

Why is cybersecurity beneficial for HIPAA compliance?

Cybersecurity is beneficial for HIPAA compliance because it helps protect PHI from breaches and unauthorized access, which are central to maintaining patient privacy and confidentiality. By implementing strong cybersecurity practices, healthcare organizations can prevent data breaches, avoid fines, and ensure that they meet HIPAA’s security and privacy requirements.

 

What are the potential risks associated with inadequate cybersecurity under HIPAA?

  • Data breaches: Unauthorized access to ePHI, leading to exposure of sensitive patient information and violation of HIPAA regulations.
  • Non-compliance penalties: Fines and legal consequences for failing to implement sufficient security measures as required by HIPAA.
  • Financial losses: Costs related to breach remediation, legal fees, and potential settlements with affected individuals.
  • Reputational damage: Loss of trust from patients, partners, and the public due to the organization’s failure to protect sensitive health information.
  • Operational disruptions: Interruptions to healthcare services and administrative functions caused by cyberattacks or compromised data security.

Learn more: HIPAA Compliant Email: The Definitive Guide