The majority of healthcare entities faced a security incident in the last year, driven by successful phishing attacks, malware, ransomware, hacking, and insider threats, according to a survey of chief information security officers who are members of The College of Healthcare Information Management Executives and Association for Executives in Healthcare Information Security.

Just one third of CHIME and AEHIS CISOs said they suffered no security impacts in the last 12 months. The findings correlate to recent research from the Ponemon Institute and discussions with healthcare stakeholders that highlight the complexity of the healthcare environment makes it difficult to close security gaps. At the same time, the stakes are higher with patient lives at risk.

CHIME and AEHIS spoke with leading healthcare CISOs to determine the impact of cybersecurity threats and attacks against the sector throughout the COVID-19 pandemic. The CISOs are primarily employed at integrated delivery systems, individual hospitals or acute care facilities, multi-hospital or health systems, or ambulatory care sites, among other smaller providers.

Just 52% are members of an information sharing and analysis center (ISAC) or information sharing and analysis organizations (ISAO).

The results showed that nearly half of its organizations were impacted by a phishing attack or business email compromise during the assessed timeframe.

About 30% experienced a system or electronic health record outage, with another 15% reporting a patient safety incident tied to a cyber event, and 10% were forced to divert patients to nearby healthcare settings as a result of cyberattack-related outages.

“There’s no end in sight for the growth of cyber risk and [the] exploitation of critical infrastructure,” according to one survey respondent. Another CISO said: “We’re overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable.”

Other CISO responses pointed to reporting requirements and “other pressing issues” as affecting their organizations’ ability to secure their systems.

Perhaps it’s then unsurprising that 45% of the surveyed CISOs said they were unaware of the Department of Health and Human Services voluntary best practice guidance released in 2019. The guide is broken down into organization type and employee role and contains some of the most pressing risks to healthcare delivery organizations and how to implement effective measures.

Just 37% of the respondents said they knew Congress passed a law in January, which credits organizations that employ cybersecurity best practices.

As healthcare organizations work to overcome these challenges, 80% of the CISOs responded that the cost of cyber insurance has increased over the last year. Of those seeing higher insurance costs, 1 out of 6 saw an increase of 100% or greater and more than 20% seeing increases as high as 50%.

Sophisticated threat actors have continued to target healthcare and other critical infrastructure entities, drawing focus of Congress who have worked to implement measures to improve infrastructure security. However, healthcare is often left out of these discussions, drawing concerns from CHIME and AEHIS. 

The stakeholders groups believe the survey findings confirm healthcare organizations need a “seat at the table as one of the most vulnerable and often-targeted pieces of critical infrastructure.” There’s also a strong need for greater education and support in the healthcare sector to strengthen the sector’s overall resilience.

More than 70% of the surveyed CISOs said additional assistance is needed to accomplish needed security tasks in the form of federal aid or assistance from a regional extension center focused on cybersecurity. Officials explained that strong collaboration between public and private sectors will be “absolutely necessary” to accomplishing these goals across the sector.

“With providers facing an exponentially increasing number of attacks and an increase in the cost of insurance to protect themselves, it is clear now, more than ever, that Congress and the Executive Branch must work to give providers the resources, education and funding they need to ensure that our healthcare system is protected against these pervasive and persistent attacks,” the report authors wrote.

“It’s clear healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said AEHIS Advisory Board Chair Will Long, in a statement. “More resources, education, and ongoing support for our sector are needed.”

The recommendations align with recent discussions both with the need for HHS to require NIST as the security standard and not The Health Insurance Portability and Accountability Act, which was designed long before the modern, digital tech landscape and only has 42 security controls.

Some stakeholders have noted that presenting the voluntary guidance to healthcare organizations was just the first step and that it’s possible HHS will move to make it a requirement in the near future.