Budget limitations, phishing attacks, and ransomware continue to threaten the healthcare industry, according to the 2021 HIMSS report 

The 2021 HIMSS Healthcare Cybersecurity Survey provides insight into the state of healthcare cybersecurity. This year, the report may serve as a chance for IT teams to inform their organizations that they are still in need of a cybersecurity overhaul. 

Too Many Threats, Too Little Time

Out of 167 healthcare cybersecurity professionals surveyed, 67% of respondents indicated that their healthcare organizations experienced significant security incidents in the past year. These attacks varied in severity but tended to come from several main attack vectors. Phishing attacks were reported as the common type (45%) and ransomware the second, making up 17% of reported attacks. 

And to make things worse… 

While many phishing-related incidents are related to human error or lack of security awareness, the issues of legacy software and processes are still compounding these problems, as is the extremely common habit of password reuse which feeds directly into the compromised credential crisis. 

Who/What is being targeted? 

While accuracy is not guaranteed, it’s useful for IT teams and other administrators to know who, or what type of data, is being targeted by cybercriminals. The 2021 survey found that “financial information (52%), employee information (43%) and patient information (39%) were the primary targets of threat actors.” 

Funding  

Overall, cybersecurity budgets are still extremely tight and only allow for small changes to be made within an individual organization. A startling quarter (24%) of respondents reported that their cybersecurity budgets “have no specific carve-out” while 40% reported that six percent or less of the information technology budget was allocated to cybersecurity. 

However, there was an indication that some organizations have taken financial action to address cybersecurity threats. Over 50% of respondents acknowledged an increase in their available cybersecurity budget, which has led to a scattered set of outcomes, including “upgrades of security solutions, acquisitions of new security solutions, increases in cybersecurity staffing, and maintenance of existing infrastructure” among others. 

While these changes are positive, the report highlights that the idea of an overhaul is still relevant, and needed. Even with small budget increases, IT teams are still being forced to pick and choose which security solutions to pursue. No one seems able to afford everything, so solutions like staff training are being put in the back seat, in favor of new software or similar acquisitions. 

In an ideal world, healthcare organizations would be able to afford a comprehensive cybersecurity plan.  

What changes should be made? 

Within the dialogue of risk in the healthcare industry, there are arguments to be made for many solutions. Increasing budget, screening for compromised credentials, and providing security awareness training for all personnel are among them. Credential screening is perhaps the most efficient because it protects users as well as organizations, and because compromised credentials are an origin point for so many security concerns, whether attacks come in the form of phishing emails or through brute force attacks. 

Credential screening would also be highly effective for healthcare organizations as it would allow employee passwords to be screened continuously, without changing the user interface. This would increase the overall cybersecurity posture of the system, while still allowing healthcare professions to focus on patient care.