Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council

Incidents & Threats

KEY FINDING:  Healthcare organizations are having an average of almost one cyberattack per month.

In the past year, organizations experienced an average of 22 successful cyberattacks in the past 12 months. According to the data below, the primary security incident experienced is lost or stolen devices (54 percent of respondents). Other incidents include denial of services, spear phishing, and ransomware (44 percent, 43 percent, and 42 percent of respondents, respectively).

What types of security incidents has your organization experienced in the past 12 months?

Lost or stolen devices
0%
Denial of services
0%
Spear phishing
0%
Ransomware
0%
Advanced persistent threats/targeted attacks
0%
Botnet attacks
0%
Exploit of existing software vulnerability greater than 3 months old
0%
Exploit of existing software vulnerability less than 3 months old
0%
Rootkits
0%
Web-borne malware attacks
0%
SQL injection
0%
Zero day attacks
0%
Clickjacking
0%

KEY FINDING:  Healthcare data breaches result in the loss or exposure of patient information.

As shown below, 84 percent of organizations have experienced an average of three data breaches over the past 12 months and an average of slightly more than half (53 percent) of breaches have been successfully mitigated. Additionally, of the 84 percent of respondents that experienced a data breach, 64 percent say these data breaches did result in the loss or exposure of patient information.

Did any of these incidents involve the loss or exposure of patient information?
Extrapolated value is data breaches over the past 12 months

0%

None

0%

1 to 2

0%

3 to 4

0%

More than 5

KEY FINDING:  Most organizations have a cybersecurity incident response plan, but it is rarely exercised.

Sixty-three percent of respondents say their organizations have a cybersecurity incident response plan. However, 59 percent of respondents say it is exercised annually (23 percent), no set time (20 percent), or only when their organizations have a cybersecurity incident (16 percent). According to the data below, the two functions most often involved are IT security (65 percent of respondents) and IT (54 percent of respondents). Fifty-two percent of respondents say corporate counsel/compliance are most often involved.

Who is involved in the incident response program?

Information security
0%
Information technology
0%
Corporate counsel/compliance
0%
Human resources
0%
Lines of business
0%
Risk management
0%
Finance
0%
Internal Audit
0%
Privacy office
0%
Other
0%

KEY FINDING:  Healthcare organizations are most concerned about unsecure medical devices.

As shown below, unsecure medical devices are the security threats healthcare organizations are most concerned about (49 percent of respondents) followed by ransomware, cyberattackers, and phishing (43 percent, 41 percent, and 40 percent, respectively).

Steps taken to prevent the loss of sensitive and confidential information

What security threats is your organization most concerned about?

Unsecure medical devices
0%
Cyber extortion (ransomware)
0%
Cyber attackers
0%
Phishing
0%
Third party misuse of patient data
0%
Insecure mobile apps (eHealth)
0%
Use of public cloud services
0%
System failures
0%
Identity thieves
0%
Employee negligence or error
0%
Mobile device insecurity
0%
Malicious insiders
0%
Process failures
0%
Employee-owned mobile devices or BYOD
0%
Other
0%

KEY FINDING:  Healthcare organizations are at risk because of not having an inventory of critical applications and hardware and/or software.

According to the graph below, organizations are at risk because of the lack of an inventory of its critical applications  hardware and/or software. Organizations represented in this research have an average of 55,925 network-connected devices.

Does your organization have a comprehensive inventory of its critical applications and hardware and/or software?