This HIMSS Healthcare Cybersecurity Survey Healthcare organizations across the board identified phishing and ransomware attacks as the most important security incidents in 2021, it was found.
Financial information is the most common target of such cyberattacks, the report said. Over the years, cyber threats such as ransomware attacks targeting the industry have grown among the challenges it already faces: aging infrastructure and tight budgets.
Sponsored by Carahsoft, the report surveyed 167 professionals to assess the state of healthcare cybersecurity. Of those surveyed, 54% work for healthcare provider organizations, 28% work for consulting/provider organizations, and 19% work for other types of organizations. The majority (61%) of respondents have primary responsibility for their healthcare organization’s cybersecurity program, with 23% partially responsible. Additionally, 90% of those surveyed said they have a management role in healthcare cybersecurity.
A significant number (67%) of respondents said that in the past 12 months, their healthcare organization has Major security incident, the report said. When considering how serious the security threat facing an organization is, 12% rated it as serious and 32% rated it as a high threat.
In addition, medical institutions said Phishing Attack is the first most common form of threat, accounting for 45% of security incidents. Ransomware attacks came in second, accounting for 17 percent of incidents. 
Additionally, phishing often plays a major role in security incidents. For example, 57% of respondents said the most important security incident included phishing. Respondents indicated the percentage of each type of phishing that occurred: Email phishing (71%), spear phishing (67%), voice Phishing/Phishing (27%), Whaling (27%), Business Email Compromise (23%), SMS Phishing reported (21%), phishing sites (20%) and social media phishing (16%).
When exploring initial touchpoints to compromise cybersecurity, phishing was the most common at 71 percent, the report said. Additionally, human error (19%) and social engineering (15%) and legacy software (15%) were the next most common points of initial intrusion, the report said.
Therefore, the study recommends that healthcare companies implement security awareness programs and insider threat detection and mitigation measures to improve security. Additionally, the report recommends software upgrades or complete software replacements when needed.
In terms of targets of attacks, the 2021 report mirrors the findings of the 2020 HIMSS report, with financial information being the primary target 52 percent of the time, followed by employee information (43 percent) and patient information (39 percent). Intellectual property, the report says Only 15% of the target.
These attacks have a variety of effects, from data breaches and leaks to system/device disruption to monetary loss. However, 44% of the time the effect was non-existent or negligible.
The study also looked at the cybersecurity budgets of healthcare companies. While 40% of companies spend only 6% or less of their budget on cybersecurity, 59% say their cybersecurity budget has increased since 2020.
Additionally, budgets, employee compliance with policies and procedures, legacy technology, and patch and vulnerability management are the biggest security challenges, the report said.
An overwhelming 73% said their healthcare organization has an older operating system. For example, 35% use Windows Server 2008 and 20% still use Windows XP. A staggering 19 percent use systems that are nearly 20 years old: Windows Server 2003 and 2003 R2, the report found.
To close these loopholes, healthcare organizations can implement various security measures. The report recommends that companies take stock of their current risks and address weaknesses, prioritize doing so in their budgets, and train employees on safety measures. Failure to take these actions may result in potential violations.
Photos: WhataWin, Getty Images; Graphics: HIMSS Healthcare
