Incidents & Threats

KEY FINDING: Healthcare organizations are having an average of almost one cyberattack per month.
In the past year, organizations experienced an average of 22 successful cyberattacks in the past 12 months. According to the data below, the primary security incident experienced is lost or stolen devices (54 percent of respondents). Other incidents include denial of services, spear phishing, and ransomware (44 percent, 43 percent, and 42 percent of respondents, respectively).

What types of security incidents has your organization experienced in the past 12 months?

KEY FINDING: Healthcare data breaches result in the loss or exposure of patient information.
As shown below, 84 percent of organizations have experienced an average of three data breaches over the past 12 months and an average of slightly more than half (53 percent) of breaches have been successfully mitigated. Additionally, of the 84 percent of respondents that experienced a data breach, 64 percent say these data breaches did result in the loss or exposure of patient information.

Did any of these incidents involve the loss or exposure of patient information?
Extrapolated value is data breaches over the past 12 months
None
1 to 2
3 to 4
More than 5

KEY FINDING: Most organizations have a cybersecurity incident response plan, but it is rarely exercised.
Sixty-three percent of respondents say their organizations have a cybersecurity incident response plan. However, 59 percent of respondents say it is exercised annually (23 percent), no set time (20 percent), or only when their organizations have a cybersecurity incident (16 percent). According to the data below, the two functions most often involved are IT security (65 percent of respondents) and IT (54 percent of respondents). Fifty-two percent of respondents say corporate counsel/compliance are most often involved.

Who is involved in the incident response program?

KEY FINDING: Healthcare organizations are most concerned about unsecure medical devices.
As shown below, unsecure medical devices are the security threats healthcare organizations are most concerned about (49 percent of respondents) followed by ransomware, cyberattackers, and phishing (43 percent, 41 percent, and 40 percent, respectively).
Steps taken to prevent the loss of sensitive and confidential information

What security threats is your organization most concerned about?

KEY FINDING: Healthcare organizations are at risk because of not having an inventory of critical applications and hardware and/or software.
According to the graph below, organizations are at risk because of the lack of an inventory of its critical applications hardware and/or software. Organizations represented in this research have an average of 55,925 network-connected devices.

Does your organization have a comprehensive inventory of its critical applications and hardware and/or software?