Press esc to head back

SECURITY TREND REPORT

Sponsored by

The Digital Health Most Wired Survey and Infrastructure

Cyber awareness in healthcare is at an all-time high following a year of tumultuous cyberattacks that disrupted the entire healthcare ecosystem. A high-profile cyberattack and data breach early 2024 at Change Healthcare thrust the longstanding challenges facing the industry onto the mainstage, providing a voice to industry leaders, patients, and business partners who’ve long advocated for needed resources and support for vulnerable systems. For the first time, patients were directly reporting to the media that their care and safety was put at risk due to the widespread care, payment, pre-authorization and pharmacy outages caused by the cyberattack. Providers reported staggering financial impacts, with some permanently closing or incurring additional debt.
Healthcare cyber breaches also severely impacted protected health information. Last year, more than 725 data breaches were reported to the Department of Health and Human Services (HHS) — the third consecutive year with over 700 massive breaches. Network servers were the most common access point tied to these incidents, with 40% tied to third-party vendors and other supportive partners.
The threat landscape will continue to increase in complexity, including advanced persistent threat actors, which will target the healthcare sector for the foreseeable future.

Gallagher said.

This report is sponsored by Zscaler, a leader in cloud security. Zscaler helps healthcare organizations protect patient data and critical systems with its Zero Trust platform. As the healthcare landscape becomes increasingly digital, Zscaler understands the importance of robust cybersecurity measures in ensuring secure and compliant operations.

Key Security Findings

From the 2024 DHMW Survey

Challenges and Solutions

in Healthcare Cybersecurity

5 Strategic Recommend-ations

for Health Systems

The Journey Ahead

Conclusion

Key Security Findings From the 2024 DHMW Survey

DHMW survey respondents provided their feedback on how their organizations approach cybersecurity, how the role of security leadership has been evolving, and what tools and techniques are part of their enterprise-wide security strategy.

Cybersecurity Remains a Top Priority

Not surprisingly, cybersecurity is top of mind for healthcare organizations. Nearly all respondents (99%) deemed cybersecurity a “high” or “essential” priority, both now and in the future. In fact, cybersecurity surpassed clinical quality and safety (94%), infrastructure, (88%), and analytics and data management as well as patient engagement (both 87%).
Breaking down the data on who leads cybersecurity efforts reveals deeper insight on how organizations are addressing this priority area. Across all organizations regardless of size, 63% have a dedicated security leader, whether it’s a Vice President or C-level executive. However, only 38% of small organizations have a dedicated security executive, compared to 86% for large organizations. This suggests smaller hospitals and health systems are relying on CIOs, other non-executive team members, or even external partners to drive security strategy.
View metrics

Digital Health Transformation Priorities Over Time (future)

View metrics

2024 Digital Transformation Priority (Immediate)

Who Leads Information Security Program

% who indicated each response (n=342)

The Growing Need for Enhanced Security Capabilities

Organizations with higher overall DHMW scores also scored better in cybersecurity performance. This view of cybersecurity as a bellwether for digital transformation success is critical. When we break down survey data into a higher performing group (Levels 8-10 or “Cyber Forward” organizations) and the remainder of the respondents (Levels 1-7 or “Cyber Evolving” organizations), the DHMW survey data shows that while all Cyber Forward organizations have implemented 100% of the survey’s “enhanced” cyber capabilities with few exceptions, there’s one key anomaly: network segmentation. Around 75% of Cyber Forward organizations are performing this technique while fewer than 40% of Cyber Evolving organizations are doing so.
Network segmentation is critical to creating a defensive architectural technique to strengthen cyber resilience. Gallagher recommends all organizations implement this approach.
What’s more,
the survey revealed several gaps in many Cyber Evolving organizations’ cybersecurity capabilities.
Fewer than
50%
of these organizations implement the following:
Database monitoring, particularly those holding protected health information (PHI), is a critical activity in the healthcare environment. As noted earlier in the report, nearly 800 PHI data breaches were reported to HHS last year alone, often leading to regulatory and monetary implications. GRC is essentially assessing and managing cyber risk through effective governance to ensure adherence to policies and technology implementation. All organizations should be employing GRC procedures to ensure all threats are assessed and vulnerabilities mitigated, while improving visibility and accountability for all risk management activities. Finally, the survey demonstrates that the Cyber Forward organizations have 100% full adoption for database monitoring, and 93% for DLP and GRC.

How would you characterize the adoption of the following capabilities your organizationuses as part of your organization’s security processes?

View metrics

How would you characterize the adoption of the following security processes yourorganization currently uses to safeguard information?

View metrics
Data Loss Prevention (DLP)
Database monitoring
Governance, Risk, and Compliance (GRC)

Third-Party Risk Management

The impacts of the Change Healthcare incident are still being felt across the sector, more than one year after the attack. One positive outcome from the outage is that provider organizations are taking action. Survey respondents reported a 16% year-over-year increase in cybersecurity assessments of their third-party partners, and more than 80% of organizations now conduct these assessments at least once a year.
Data also confirmed an uptick in enacting remediation measures, such as closing authentication gaps by limiting access to specific devices and adopting privileged access management, which are proven to restrict third-party partner access to an organization.
However,
there’s a critical need for improvement on the actual assessment of vulnerabilities and risks to the healthcare enterprise.
The survey found that relatively few organizations are assessing and mitigating risks posed by third-party vendors. Providers are not creating an inventory of all third-party vendors, risk-ranked, and an assessment of the highest risk vendors. The Cyber Forward entities are performing some degree of these actions, but not with regularity. Third-party risk assessments can be difficult to perform across all entities.
In that case, we recommend that third parties not be granted access to the network, but instead, be given direct, secure access to only the applications/devices required.

Challenges and Solutions in Healthcare Cybersecurity

A deep dive into the 2024 DHMW survey results reaffirms what industry leaders have long warned: Organizations are facing a consistent stream of threats and other challenges, while constrained by limited resources. Along with a summary of findings, the section below offers practical solutions and recommendations for security leaders.
The data also showed a substantial gap between Cyber Forward and Cyber Evolving organizations regarding internal security testing, such as vulnerability scanning, unannounced penetration testing, and access control audits. These activities are critical analysis tools that allow teams to test the effectiveness of policies and security controls to maintain cyber resilience. We know these internal testing techniques can yield myriad results. The key to reducing the risk of these vulnerabilities is the prioritization of the remediation and efficient tracking and workflow management.
Across all organizations, the use of “tabletop exercises” (an informal discussion-based session with the response team that discusses their roles and response activities in the event of an emergency) is exceptionally low. As Gallagher sees it, more organizations should be leveraging these exercises to gauge employees’ and team response times and overall understanding of the incident response plan. Organizations should be performing these assessments on a regular basis and should include executive management, which will ensure the entire workforce is prepared to respond to a cyber incident to maintain care operations in the event of a cyber event.

How often does your organization conduct Internal Testing ?

At Least Monthly
Quarterly

Internal Testing

An Expanding Attack Surface

The proliferation of IoT devices, operational technology (OT), and mobile endpoints in healthcare has significantly expanded the average organization’s attack surface. The COVID-19 pandemic fueled the onboarding of new digital, mobile and telehealth technologies, often implemented without security in mind. The digital health landscape has continued to expand, while security measures to keep attackers off networks have not been consistently adopted.
Authentication measures were applied across the device spectrum, including personal, monitoring, and both medical and non-medical devices. Applying authentication to personal devices was the biggest gainer year-over-year with a 17% increase in adoption, although this category still lagged significantly behind the other device types, with only 51% fully adopting and 25% partially applying authentication to personal devices.
The survey showed near universal use of knowledge-based (e.g. passwords) and possession-based (sending codes to phones or emails), as well as multifactor authentication (MFA) for remote connections.
As a result, threat actors are leveraging unsecured endpoints to gain a foothold onto the network, moving laterally to other connected devices, and wreaking havoc.

IT Asset Inventory & Device Access Controls for Effective Risk Management

All (100%) of Cyber Forward organizations reported they maintain inventories of mobile and medical devices, as well as a substantial number for employee-owned devices.
However, for Cyber Evolving organizations these rates drop to 60% for mobile and medical devices and about 25% for employee-owned devices. Asset inventories are critical for understanding the attack surface and network traffic on the devices, which are a direct patient safety risk.

Encryption

Encryption is an important security control for protecting PHI and an organization’s sensitive data. The survey data showed that 100% of the Cyber Forward organizations are implementing encryption of data at rest and in motion
For Cyber Evolving organizations, encryption at rest is implemented by 73% and encryption in motion by 82%. As this is a recognized best practice and a recommended control by many cybersecurity frameworks, not to mention the HIPAA Security Rule, all organizations should implement this control where practicable.

AI Adoption to Enhance Cybersecurity

There are several other opportunities for organizations to embed AI into their security strategy.

5 Strategic Recommendations for Health Systems

There’s no one solution that will singlehandedly fix the longstanding challenges facing the healthcare industry However, there are a host of free resources, partners, and strategic steps provider organizations can take that will reduce vulnerabilities and harden defenses, while restricting access to critical systems and ensuring organizations are best leveraging their cybersecurity budgets.

Invest in Security Leadership

No matter the size of the organization, dedicated security leaders are critical to driving holistic security strategies To help make the case, organizations can point to the results of the 2024 Digital Health Most Wired survey that affirms strong cybersecurity leadership leads to security maturity, which leads to stronger performance in clinical quality and safety, infrastructure, analytics, data management, and patient engagement.

Conclusion

The threat landscape is evolving at an equal, if not greater pace, than the technology used to support the modern digital health environment. The old ways of compliance-based security strategies and lack of cyber investments can no longer be considered status quo. As entities continue to adopt digital health technology, cybersecurity must be the foundational backbone of every organization.
As technology evolves, so too does the landscape of cybersecurity threats. Increased adoption of IoT and OT devices means healthcare organizations have more sources of valuable data — but also more access points to secure. Third-party hardware and software provide many financial and operational benefits, but it also expands an organization’s attack surface while limiting visibility into potential threats.
On top of that, attackers are leveraging AI and other technology to make attacks more realistic and much more frequent.
The reactive approach of organizations must be put to rest. As the industry saw the fallout from a single point of failure with the Change Healthcare incident, every leader must take a proactive approach to cybersecurity and close known gaps and vulnerabilities. Steps such as embracing automated threat detection and response and effective assessments of internal and third-party risks can help health systems address common vulnerabilities.
Security leaders must leverage risk data to advocate for these critical solutions, cybersecurity resources, and greater authority for cybersecurity leadership. Cyberattacks are inevitable, but the right measures ensure an organization can return to business as usual with less impacts on patient care and business outcomes.

About Digital Health Analytics

Digital Health Analytics (DHA) is a global market intelligence and survey research hub fordigital health technology. Provided by the College of Healthcare Information Management Executives (CHIME), DHA was created in 2022 to supercharge organizations’ digital health transformation capabilities by moving from a one-snapshot in-time, static Most Wired survey to a 365/24/7 data and analytics resource. DHA is the gateway for provider organizations About Digital Health Analytics and companies to better understand how digital technology supports leaders in transforming health and care and delivering data insights that help them make the greatest business impact possible. For more information, please visit dhanalytics.org.

About CHIME

The College of Healthcare Information Management Executives (CHIME) is an executiveorganization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs), chief innovation officers (CIOs), chief digital officers (CDOs), and other senior healthcare IT leaders. With more than 5,000 members in 58 countries plus 2 US territories and over 190 healthcare IT business partners and professional services firms, CHIME and its three associations provide a highly interactive, About CHIME trusted environment enabling senior professional and industry leaders to collaborate, exchange best practices, address professional development needs, and advocate the effective use of information management to improve the health and care in the communities they serve. For more information, please visit chimecentral.org.
Digital Health Analytics (DHA) is a global market intelligence and survey research hub for digital health technology. Provided by the College of Healthcare Information Management Executives (CHIME), DHA was created in 2022 as the gateway for provider organizations and companies t better understand how digital technology supports leaders in transforming health and care and delivering data insights that help them make the greatest business impact possible.
Powered by OpenAI