Security Awareness in Healthcare: 2018 HIMSS Survey Results

Share with your network!

In recent years, the healthcare industry has experienced increasing problems with cyberattacks and security compromises, and that trend is likely to continue, according to a report released by the Healthcare Information and Management Systems Society (HIMSS). With the top threats targeting end users rather than IT infrastructure, security awareness training is a critical tool for healthcare organizations — but how many have effective programs in place?

Top Cyberthreats for Healthcare

The 2018 HIMSS Cybersecurity Survey is based on responses from 239 information security professionals from a variety of healthcare organizations. More than 75% of respondents said they experienced a significant security incident in the previous year; the most common threat actors named in these incidents — 37.6% — were “online scam artists” who used tactics like phishing and spear phishing. In fact, 61.9% of respondents noted that an email (e.g., phishing email) was the initial point of compromise.

As is the case in all industries, spoofing has become a favorite technique among attackers. According to an article by Amy Baker, our Vice President of Marketing, this technique is particularly successful within the healthcare space. “These attacks are incredibly effective because they prey on people who are time poor and are trying to fulfill requests as quickly and efficiently as possible,” she noted.

The prevalence of malicious emails in security compromises is borne out in Proofpoint’s research. In 2017, one in five emails claiming to be from a healthcare organization was fraudulent. Of the three billion emails observed to use the domain of a known healthcare brand, more than 8% (262 million) came from either unauthorized or malicious sources.

After phishing and spear phishing, the second most common threat reported in the HIMSS survey — 20.8% — was from negligent insiders. These people are “well-meaning but negligent individuals with trusted access who may facilitate or cause a data breach or other cyber incident.” (Malicious insiders, by contrast, were named in only 5.4% of attacks.)

The prevalence of these threats underscores that end-user behaviors can have a significant impact on a healthcare organization’s cybersecurity posture. The need for rigorous security awareness training extends beyond full-time employees to others who may have access to sensitive information, including contractors, consultants, and temporary staff.

The HIMSS report is crystal clear on this point: “Workforce members and others are essentially gatekeepers of good and evil into and out of an organization.” With that understanding, it’s easy to see why end-user knowledge assessments and security awareness training are critical to the healthcare industry.

Assessing End-User Knowledge

Given end users’ vulnerability to cyberattacks, it’s appropriate that the HIMSS report calls for frequent, comprehensive penetration testing, and stresses the human elements of cybersecurity. “[H]umans often are the weakest link for any cybersecurity program and it is important to educate, inform, and test,” according to the report.

The report notes that the phishing awareness of workforce members is the human element most tested by healthcare organizations (32.9% of respondents), followed by incident response (20.6%), communications (17.6%), and vishing awareness (12.3%). While it’s encouraging to see phishing at the top of this list (and to see vishing in the training mix), it’s concerning that most healthcare organizations are not testing their users’ understanding of key cybersecurity topics.

Assessments are a great way to measure the effectiveness of a security awareness program and identify specific areas of concern. Our 2018 State of Security Education: Healthcare report explores how medical staff and other end users in this industry are performing on cybersecurity assessments across a range of topics. In it, we analyze their responses to questions asked and answered about 12 security topics in our Security Education Platform.

Our data indicates that healthcare professionals fall behind many other industries in their understanding of data protection and disposal techniques, missing an average of 28% of questions about the data lifecycle and the handling of personally identifiable information (PII) in general.

Users also missed an average of 26% of questions about protecting confidential information, which should raise concern among healthcare organizations, given their need to safeguard protected health information (PHI) and PII. Questions asked in this category related specifically to the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR).

Security Awareness Training in Healthcare

HIMSS notes that “[m]any healthcare organizations struggle with problems stemming from a lack of security awareness” and recommends several ways in which the industry should improve its cybersecurity programs, from increasing personnel and funding to standardizing security frameworks and threat intelligence.

While the report does indicate that most healthcare organizations conduct security awareness training, nearly 52% of respondents said they rely on annual training — a practice we’ve cautioned against because it does not support effective knowledge retention and lasting behavior change. More concerning, however, is that more than 12% of respondents either don’t have a security awareness training program in place or don’t know how frequently cybersecurity education is conducted.

With healthcare organizations facing increasingly sophisticated cyberattacks — and with many of those attacks coming via email — infosec teams in this industry need to prioritize end-user risk management. HIMSS stresses that ongoing cybersecurity education is a better option than infrequent or inconsistent security awareness training initiatives, and we couldn’t agree more. As Baker noted in her article, “[w]ith healthcare staff rushed off their feet, their behavior needs to be conditioned so they can identify phishing emails based on a range of factors (for example, by checking that URLs and attachments are legitimate, in addition to looking at the sender). Proper authentication, threat intelligence, and cybersecurity training tools can help prevent successful phishing attacks.”