Press esc to head back
SECURITY TREND REPORT
Sponsored by
The Digital Health Most Wired Survey and Infrastructure
Cyber awareness in healthcare is at an all-time high following a year of tumultuous cyberattacks that disrupted the entire healthcare ecosystem. A high-profile cyberattack and data breach early 2024 at Change Healthcare thrust the longstanding challenges facing the industry onto the mainstage, providing a voice to industry leaders, patients, and business partners who’ve long advocated for needed resources and support for vulnerable systems. For the first time, patients were directly reporting to the media that their care and safety was put at risk due to the widespread care, payment, pre-authorization and pharmacy outages caused by the cyberattack. Providers reported staggering financial impacts, with some permanently closing or incurring additional debt.
Healthcare cyber breaches also severely impacted protected health information. Last year, more than 725 data breaches were reported to the Department of Health and Human Services (HHS) — the third consecutive year with over 700 massive breaches. Network servers were the most common access point tied to these incidents, with 40% tied to third-party vendors and other supportive partners.
The threat landscape will continue to increase in complexity, including advanced persistent threat actors, which will target the healthcare sector for the foreseeable future.
Gallagher said.
This report is sponsored by Zscaler, a leader in cloud security. Zscaler helps healthcare organizations protect patient data and critical systems with its Zero Trust platform. As the healthcare landscape becomes increasingly digital, Zscaler understands the importance of robust cybersecurity measures in ensuring secure and compliant operations.
Key Security Findings
From the 2024 DHMW Survey
Challenges and Solutions
in Healthcare Cybersecurity
5 Strategic Recommend-ations
for Health Systems
The Journey Ahead
Conclusion
Key Security Findings From the 2024 DHMW Survey
DHMW survey respondents provided their feedback on how their organizations approach cybersecurity, how the role of security leadership has been evolving, and what tools and techniques are part of their enterprise-wide security strategy.
Cybersecurity Remains a Top Priority
Not surprisingly, cybersecurity is top of mind for healthcare organizations. Nearly all respondents (99%) deemed cybersecurity a “high” or “essential” priority, both now and in the future. In fact, cybersecurity surpassed clinical quality and safety (94%), infrastructure, (88%), and analytics and data management as well as patient engagement (both 87%).
Breaking down the data on who leads cybersecurity efforts reveals deeper insight on how organizations are addressing this priority area. Across all organizations regardless of size, 63% have a dedicated security leader, whether it’s a Vice President or C-level executive. However, only 38% of small organizations have a dedicated security executive, compared to 86% for large organizations. This suggests smaller hospitals and health systems are relying on CIOs, other non-executive team members, or even external partners to drive security strategy.
View metrics
Digital Health Transformation Priorities Over Time (future)
View metrics
2024 Digital Transformation Priority (Immediate)
Who Leads Information Security Program
% who indicated each response (n=342)
The Growing Need for Enhanced Security Capabilities
Organizations with higher overall DHMW scores also scored better in cybersecurity performance. This view of cybersecurity as a bellwether for digital transformation success is critical. When we break down survey data into a higher performing group (Levels 8-10 or “Cyber Forward” organizations) and the remainder of the respondents (Levels 1-7 or “Cyber Evolving” organizations), the DHMW survey data shows that while all Cyber Forward organizations have implemented 100% of the survey’s “enhanced” cyber capabilities with few exceptions, there’s one key anomaly: network segmentation. Around 75% of Cyber Forward organizations are performing this technique while fewer than 40% of Cyber Evolving organizations are doing so.
Network segmentation is critical to creating a defensive architectural technique to strengthen cyber resilience. Gallagher recommends all organizations implement this approach.
What’s more,
the survey revealed several gaps in many Cyber Evolving organizations’ cybersecurity capabilities.
Fewer than
50%
of these organizations implement the following:
Database monitoring, particularly those holding protected health information (PHI), is a critical activity in the healthcare environment. As noted earlier in the report, nearly 800 PHI data breaches were reported to HHS last year alone, often leading to regulatory and monetary implications. GRC is essentially assessing and managing cyber risk through effective governance to ensure adherence to policies and technology implementation. All organizations should be employing GRC procedures to ensure all threats are assessed and vulnerabilities mitigated, while improving visibility and accountability for all risk management activities. Finally, the survey demonstrates that the Cyber Forward organizations have 100% full adoption for database monitoring, and 93% for DLP and GRC.
How would you characterize the adoption of the following capabilities your organizationuses as part of your organization’s security processes?
View metrics
How would you characterize the adoption of the following security processes yourorganization currently uses to safeguard information?
View metrics
Data Loss Prevention (DLP)
Database monitoring
Governance, Risk, and Compliance (GRC)
Third-Party Risk Management
The impacts of the Change Healthcare incident are still being felt across the sector, more than one year after the attack. One positive outcome from the outage is that provider organizations are taking action. Survey respondents reported a 16% year-over-year increase in cybersecurity assessments of their third-party partners, and more than 80% of organizations now conduct these assessments at least once a year.
Data also confirmed an uptick in enacting remediation measures, such as closing authentication gaps by limiting access to specific devices and adopting privileged access management, which are proven to restrict third-party partner access to an organization.
However,
there’s a critical need for improvement on the actual assessment of vulnerabilities and risks to the healthcare enterprise.
The survey found that relatively few organizations are assessing and mitigating risks posed by third-party vendors. Providers are not creating an inventory of all third-party vendors, risk-ranked, and an assessment of the highest risk vendors. The Cyber Forward entities are performing some degree of these actions, but not with regularity. Third-party risk assessments can be difficult to perform across all entities.
In that case, we recommend that third parties not be granted access to the network, but instead, be given direct, secure access to only the applications/devices required.
Challenges and Solutions in Healthcare Cybersecurity
A deep dive into the 2024 DHMW survey results reaffirms what industry leaders have long warned: Organizations are facing a consistent stream of threats and other challenges, while constrained by limited resources. Along with a summary of findings, the section below offers practical solutions and recommendations for security leaders.
The data also showed a substantial gap between Cyber Forward and Cyber Evolving organizations regarding internal security testing, such as vulnerability scanning, unannounced penetration testing, and access control audits. These activities are critical analysis tools that allow teams to test the effectiveness of policies and security controls to maintain cyber resilience. We know these internal testing techniques can yield myriad results. The key to reducing the risk of these vulnerabilities is the prioritization of the remediation and efficient tracking and workflow management.
Across all organizations, the use of “tabletop exercises” (an informal discussion-based session with the response team that discusses their roles and response activities in the event of an emergency) is exceptionally low. As Gallagher sees it, more organizations should be leveraging these exercises to gauge employees’ and team response times and overall understanding of the incident response plan. Organizations should be performing these assessments on a regular basis and should include executive management, which will ensure the entire workforce is prepared to respond to a cyber incident to maintain care operations in the event of a cyber event.
How often does your organization conduct Internal Testing ?
At Least Monthly
Quarterly