Health information is both super personal and mission critical. After all, if your bank accounts are breached, it may creep you out and you might even lose money, but such losses are often insured. If your health information gets hacked, that targets you directly, physically, possibly in ways that insurance can’t fix.

If scammers start changing details on a medical record, substantial physical damage could result. If a health record is cloned and sold for profit on the black market, someone other than the patient could use the medical care benefits for their own profit, or even forge a very convincing digital clone—a “virtual person”—based on the detailed information it contains.

So how secure is the healthcare ecosystem? Following the recent spate of breaches in the sector, we set out to determine what cybersecurity looks like from where health IT pros themselves sit. In conjunction with the highly respected Ponemon Institute, we asked the hard questions. Here are the top takeaways from the resultant study, The State of Cybersecurity in Healthcare Organizations in 2016, from ESET’s research team.

Stephen Cobb, ESET senior security researcher

“Lack of collaboration” is seen as top challenge

Respondents cited both lack of staff and budget as serious challenges to the cybersecurity posture, neither of which bode well for swiftly fixing the many security gaps this study documents. Even more worrying, however, was the most-cited obstacle to a better cybersecurity posture: Lack of collaboration with other functions. While I have been hearing anecdotal evidence of this from my colleagues in healthcare for some time, this is the first study in which I have seen it documented. I think it reflects a growing realization that this particular IT environment is more complex and challenging than previously thought.

Lysa Myers, ESET security researcher

52% are concerned with legacy systems, 51% are concerned with new tech, and a little less than half are concerned with employees

Old machines are a problem and new machines are a problem… How narrow is the window between these two states, especially given the number of people reporting problems due to 0-3 month old vulnerabilities? It’s Security Goldilocks!

50% have no incident response plan

Between this and the last point of #1, this tells me that while technology outside their comfort zone may be worrisome, there is a huge lack of planning on the people side of this equation. There needs to be risk assessment, planning for incidents, and education of employees. If even the security staff doesn’t have a plan for what to do in case of a threat, what do you suppose the odds are that the rest of the staff does?

Cameron Camp, ESET security researcher

One in four health IT pros don’t understand their cyberattacks or their own defense

One thing that struck everyone reviewing the data was how much respondents simply didn’t know. According to the survey, about a quarter of people charged with protecting data in the healthcare sector do not know:

  • How many cyberattacks their organization has had in the last year
  • Whether they’ve experienced an incident involving the loss or exposure of patient data
  • Whether cyberattacks evaded their intrusion prevention system, AV solutions or other traditional security controls
  • If they are prepared to stop APTs

Healthcare executives need to get in touch with what attacks they’re actually seeing. If you don’t know how you’re being attacked, you can’t know what you need to do for defense.

39% said their organization had “no understanding of how to protect against cyberattacks”

It’s time to change the culture in the healthcare sector. The information in the proverbial boiler room has not made it to the C-suite, like it has in other industries. However, with this new Ponemon study, there can be no more debate: The industry is in cybersecurity crisis. It’s costing healthcare organizations millions of dollars a year. And now that those costs are visible, it’s time to take steps to protect not just the bottom line, but patient information and even patient lives.

Further Details and Analysis

You can download the full study from ESET North America. You can also watch a recorded webinar in which Larry Ponemon and Stephen Cobb discuss the report and its implications (one-time registration may be required).

Some additional comments on the report by Stephen Cobb can be found here. Note that the link to the report from that page does not work for readers outside the US; non-US readers can use this link.