An epidemic of overconfidence and underestimation in IT security protections and staff readiness could leave health care organizations at risk of catastrophic attacks.
IT services provider
Omega Systems said that a recent survey of healthcare IT professionals found that while many see their companies as doing more than enough when it comes to data security, there remain key weaknesses and pain points that will put organizations at risk.
The findings were part of a study on how healthcare organizations assess their cybersecurity protections and incident response capabilities, with 19% of leaders saying a cyberattack has already disrupted patient care. Omega Systems said that 80% of healthcare organizations were targeted by
at least one cyberattack in the last year, with social-engineering attacks and ransomware leading the charge with 48% of attacks and 34%, respectively.
The study concluded that in many cases
organizations are over-assessing their security protection and are overlooking key blind spots that could enable threat actors to breach their networks and steal data for ransomware and extortion attacks.
“Despite the prevalence of attacks experienced in the past year, 80% of leaders said they are confident or very confident their employees will effectively detect and prevent AI-powered attacks like phishing, deepfakes or other advanced social engineering attacks. 76% are confident in the security posture of their third-party vendors and suppliers,” the report noted.
“But reality shows a false sense of security. Data indicates that specific cybersecurity gaps exist, putting healthcare organizations at greater risk.”
Not every part of the healthcare industry was found to be so confident in their abilities, however. Of those polled in the life sciences field, 13% said they have low or no trust in the ability of their employees when it comes to spotting and responding to a cybersecurity event.
To underscore the skepticism among respondents, more than half (52%) believe that within the next five years they will see a cybersecurity event against a healthcare organization that directly results in human fatalities.
One area of concern was training. The survey found that 30% of organizations did not regularly train employees on how to spot and respond to potential phishing and network cyberattacks.
Toby Gouker, chief security officer with First Health Advisory, told SC Media that it is not uncommon for health care organizations to have issues with staff cybersecurity training due to the overwhelming nature of the profession and its requirements.
“Clinical staff in hospitals frequently experience training fatigue, and it’s a growing concern in healthcare settings — especially as digital transformation, regulatory demands, and
new technologies like AI are pressed upon staff,” Gouker explained.
“In light of training fatigue being present, senior management has to choose which training experiences to incorporate, and in many cases frequent cybersecurity training may be cut from the list in favor of training perceived to be more patient centric.”
Also of concern was staffing levels. It was reported that 23% of respondents report that their IT and security teams were understaffed, and 57% believed they lack the time and expertise to maintain compliance with their industry’s respective regulatory standards.
Disaster preparedness was yet another area where organizations were found to be skeptical of their employee and leadership capacity and capabilities. Should healthcare organizations suffer a security incident, the response and fallout could be long and costly.
“Nearly a quarter of organizations admitted it could take up to a month to detect and contain a suspected data breach utilizing their current controls,” the report found. “For life sciences companies, response times are even longer, with 20% saying it could take as long as months to quell the risk.”
