Tied down by staffing and budget issues, while the industry is still debating the best way to fix healthcare’s security woes, hackers are only getting smarter and continuing to shell the industry in full force.

The number of breached patient records has declined from 100 million in 2015 to just 5 million in 2017, according to a recent Symantec report. But don’t take that at as good news: 10 percent more organizations reported a breach in 2017 than the previous year.

These results could be interpreted in a number of ways. First, possibly certain state actors, like China, have stayed away from healthcare data, said Axel Wirth, a healthcare solutions architect at Symantec. Findings may also suggest that larger organizations are becoming more secure, while smaller providers are still struggling.

But “it doesn’t matter how many records you hold hostage, it’s equally painful for the organization. It may explain why we see a lot of smaller breaches,” Wirth said.

So what does that mean for the healthcare sector? Hackers aren’t done with their attacks. In fact, the report found there’s been a 600 percent increase in attacks on IoT devices and an increasing target on mobile devices.

There’s also been a 200 percent increase in supply chain-based attacks in 2017, such as those used in the infamous Petya attack last June. And last year, cryptocurrency mining — which leverages blockchain — increased by a whopping 8,500 percent.

Wirth took these stats to Capitol Hill this month to shed light on this ongoing issue. Unfortunately, the situation is still dire.

To start, security budgets haven’t increased enough: 75 percent of healthcare organizations spend just 6 percent or less of IT budgets on cybersecurity, according to the report. That’s about half of what industries with more mature security invest.

And due to a lack of competitive salaries and attracting security talent, the security staffing issues have not improved from the June 2017 U.S. Department of Health and Human Services Cybersecurity Task Force report. The task force found three out of four organizations are operating without a designated cybersecurity leader.

In summary, hackers keep rolling out more sophisticated attack vectors, and healthcare is stuck wondering what to do about it.

Awareness is up, confidence is lacking

Fueled by the near-daily reports of breaches and cyberattacks, the healthcare sectors is, by now, well-aware of the risks from phishing, ransomware and other threat actors.

In fact, according to a recent HIMSS Analytics and Symantec report, 60 percent of healthcare providers now name risk assessments as the number one driver of security investments instead of HIPAA compliance. And about 40 percent have adopted cybersecurity frameworks like NIST.


Read the complete article at healthcareitnews.com


Jessica Davis is senior editor for Healthcare IT News. She covers extensively covers cybersecurity, government issues and women in health IT.