Some 80% of executives at US healthcare providers and insurers say their IT systems have been compromised by a cyber-attack, with two-thirds claiming external hackers are the greatest threat, according to KPMG.
The consultancy polled over 200 healthcare executives to compile its latest report: Health Care and Cyber Security.
It found that malware infections (67%) and patient privacy-related compromises (57%) were the main information security concerns.
The industry as a whole is still behind its counterparts in other sectors in using “outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes,” the report argued.
It added:
“At the core of the increased risk to healthcare organizations is the richness and uniqueness of the information that the health plans, doctors, hospitals and other providers handle. Apart from typical financial fraud, there is also the possibility of medical insurance fraud, or, in the case of providers, attacks on computer-controlled medical devices. As this is the largest part of the US economy and a safeguard of peoples’ well-being, healthcare is a matter of national security.”
Healthcare organizations are facing an ever-growing threat thanks to several evolving trends.
These include the adoption of digital patient records; the use of antiquated electronic medical record (EMR) systems; the ease of distributing patient data; the internet-facing nature of many systems; and the growing sophistication of attacks.
Worryingly, just half (53%) of providers and two-thirds of healthcare insurers claimed they were ready to withstand a cyber-attack. This is despite the fact that almost half of those polled (44%) said they had experienced between one and 50 attempted cyber-attacks over the past year.
KPMG recommends healthcare firms incorporate cybersecurity into IT systems at the design stage in order to improve their resilience. The appointment of a CISO or similar and the creation of a security operations center was also advised.
Healthcare organizations must also do better at understanding third-party risk, and appoint board members who are security savvy, as well as CISOs who can speak the language of the business.