KPMG study shows healthcare providers unprepared for cyber threat
During our conversation, we asked Matthew about the current cybersecurity landscape facing healthcare companies, why they’re targets for attack and what they need to do to prepare their networks. What we heard is that new hi-tech tools and an increase in network connectivity have made healthcare companies more vulnerable, and their focus on availability over security is keeping them that way.
According to Matthew, “Healthcare companies are facing an ever changing threat landscape that evolves along with the technology solutions they use within the enterprise…Hospitals are more interconnected with patients, physician practices, specialty providers, vendors and state and federal systems than ever before. While patient safety is paramount, the support-base for clinical and supporting systems face daily decisions between system availability to support patient care, or maintenance/management to reduce the vulnerability footprint.”
Unfortunately, this bleak security Assessment of the healthcare industry appears to be an accurate one.
In late August, consulting firm, KPMG, released the results of a study that polled 223 chief information officers, chief technology officers, chief security officers and chief compliance officers at healthcare providers and health plans. According to the results of this study, there are a handful of healthcare trends and technologies that are exposing providers and payers to a new world of security threats. Couple these trends with an increasingly sophisticated ecosystem of bad actors, and you have a prescription for cybercrime that should be cause for concern among all patients, providers and payers.
What KPMG found is that healthcare breaches are on the rise and that the healthcare industry is rapidly becoming one of the most targeted – behind the usual favorites among data thieves, such as financial services and retail. This is due to a few factors, including the increase in electronic health record (EHR) adoption, the use of legacy applications with poor security safeguards, the ease of sharing healthcare data via multiple avenues and the fact that multiple different applications and systems share the same network – including those that access and browse the Internet.
Despite the increased risk, a surprisingly small number of cybersecurity incidents are being identified and tracked within the healthcare organizations themselves. In fact, 82 percent of respondents reported tracking between one and 350 incidents in the last year – a low number of incidents considering the increased threat.
What does KPMG attribute this to? The firm claims that these low numbers indicate that healthcare companies simply aren’t prepared to identify, track and manage sophisticated threats.
According to the report, “Mature incident and vulnerability management processes are lacking in most organizations, and thus, daily threats aren’t even reported or managed effectively by many organizations. One KPMG client saw a 1000% increase in incidents and vulnerability reporting to their enterprise once they implemented an effective Security Operations Center (SOC) to intercept, interpret, and report on threats.”
Despite these findings, healthcare companies may be a bit too confident in their abilities to protect their networks, identify threats and manage breaches. According to the findings of the study, 53 percent of the respondents thought their organization was ready to defend itself against cyberattack. However, respondents did identify areas where their networks and systems could be hacked, and threats they should be wary of. The study asked respondents to identify their greatest vulnerabilities and their greatest security concerns.
Here are the results:
- External attackers – 65 percent
- Sharing data with third-parties – 48 percent
- Wireless computing – 35 percent
- Employee breaches/theft – 35 percent
- Inadequate firewalls – – 27 percent
- Malware infecting systems – 67 percent
- HIPAA violations/compromise of patient privacy – 57 percent
- Internal vulnerabilities (employee theft/ negligence) – 40 percent
- Medical device security – 32 percent
- Aging IT hardware – 31 percent
As Matthew stated in his interview on the site – and as is verified by the findings of the KPMG report – the healthcare industry is becoming a frequent and desirable target for data thieves and bad actors. Unfortunately, the focus on implementing technologies that directly impact patient care and not on security threatens to keep healthcare organizations vulnerable now and into the future.
To elicit change, the KPMG report recommends a larger investment in security by healthcare providers. They also call on healthcare providers to bring dedicated security professionals and a security operations center on board within their organizations. We hope that healthcare providers heed the warnings and take appropriate actions. As we discussed in a previous post…the ramifications could be quite severe for those that don’t.