The 2019 HIMSS Cybersecurity Survey provides insight into the information security experiences and practices of US healthcare organizations in light of increasing cyber-attacks and compromises. Reflecting the feedback from 166 US based health information security professionals, the findings of this study distill as follows:
A pattern of cybersecurity threats and experiences is discernable across US healthcare organizations
o Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.
Many positive advances are occurring in healthcare cybersecurity practices
o Healthcare organizations appear to be allocating more of their information technology (“IT”) budgets to cybersecurity.
Complacency with cybersecurity practices can put cybersecurity programs at risk
o There are certain responses that are not necessarily “bad” cybersecurity practices, but may be an “early warning signal” about potential complacency seeping into the organization’s information security practices.
Notable cybersecurity gaps exist in key areas of the healthcare ecosystem
o The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.