New research by the Healthcare Information and Management Systems Society (HIMSS) has found phishing and ransomware attacks are the most significant security incidents impacting healthcare organizations of all types.
The finding emerged from the 2021 HIMSS Healthcare Cybersecurity Survey that questioned 167 healthcare cybersecurity professionals about security incidents their organizations had experienced in the past twelve months.
Nearly half (45%) said the most significant security breach they had experienced in the previous twelve months was a phishing attack, while a further 17% named ransomware as their worst aggressor.
Asked about the cause of their most significant breach, more than half (57%) said phishing was to blame. Negligent insider activity was named by 7% of respondents as the cause of the most significant security incident.
While email-based phishing attacks accounted for most (71%) of the significant security breaches, 27% had suffered a significant vishing (voice phishing) incident and 21% said they had been the victim of a significant smishing (SMS phishing) attack.
In 15% of attacks, the initial point of compromise occurred through social engineering. However, the most common route into an organization for attackers was phishing, which accounted for 71% of attacks.
Other key findings were that human error was the cause of 19% of data breaches. A further 15% of breaches were pinned on the use of legacy software that is no longer supported.
Asked about the impact of security breaches, 32% said breaches disrupted systems that impacted business operations. More than a quarter (26%) said security breaches disrupted IT systems, and 22% said security breaches resulted in data breaches or data leakage.
Fewer respondents (21%) said security breaches impacted clinical care, and only 17% said the most significant security incident resulted in financial loss.
HIMSS said: "The findings of the 2021 HIMSS Healthcare Cybersecurity Survey suggest that healthcare organizations still have significant challenges to overcome.
"These barriers to progress include tight security budgets, growing legacy footprints and the growing volume of cyber-attacks and compromises."
The society said that while basic security controls have not been fully implemented at many organizations, "perhaps the largest vulnerability is the human factor."