78% of Providers Report Healthcare Ransomware, Malware Attacks

Email is the most likely cause for a data breach, according to recent research, with 78 percent of providers reporting that they experienced a healthcare ransomware or malware attack in the past 12 months.

Eighty-seven percent of respondents said they also expect email-related security threats to increase or significantly increase in the future, found the Mimecast survey that was conducted by HIMSS Analytics.

Respondents consisted of IT professionals at a variety of healthcare providers, who were responsible for

Forty-three percent of large provider organizations reported at least 16 malware and/or ransomware attacks, pushing that demographic into the most affected from such email security issues.

The majority of those surveyed – 93 percent – said email is mission critical to their organization, with 43 percent saying that it was mission critical and downtime could not be afforded.

"This study confirms that no healthcare provider is immune to this growing threat of email-related cyberattacks,” HIMSS Analytics Senior Director Bryan Fiekers said in a statement. “While the results show that larger providers are being hit harder, especially with ransomware, these same organizations are also the ones leading the charge in defining industry best practices to address these threats.”

Preventing malware and/or ransomware attacks, training employees about how to be diligent when it comes to cybersecurity, and securing email were the top cyber resilience strategies listed by respondents.

Approximately one-third of surveyed providers – 28 percent – reported that protecting the organization against new threats was the main challenge. Training employees to spot security risks (22 percent) and staffing (19 percent) were the next top challenges.

Eighty-eight percent of respondents said they perform cybersecurity assessments at least yearly, with 43 percent reporting that they do conduct the assessments at least once per year. Sixteen percent said they perform cybersecurity assessments quarterly, while 18 percent said they do so monthly.

Two-thirds of providers that perform cybersecurity assessments stated that email is always included in the assessment. Nearly one-third said that email is sometimes included, while 2.5 percent stated that email is never included in the assessment or that they did not know if it was.

Large organizations were more likely to include email in their cybersecurity assessment though, with 74 percent of larger facilities reporting that it is always included. Fifty-nine percent of intermediate-sized entities said the same, with 68 percent of small organizations reporting that email was always included.

The survey indicated that larger organizations also experienced more ransomware or malware attacks in the past 12 months. Sixty-three percent of large facilities experienced both malware and ransomware in the last year, 24 percent of intermediate organizations had both types of attacks, and 22 percent of small organizations did.

Respondents were also asked to rank how concerned they were over potential threats, with one being not concerned and seven being very concerned. Eighty-three percent of those surveyed said they were very concerned over ransomware email threats, followed by impersonation/business email compromise/CEO fraud (65 percent), targeted attacks/spear phishing (64 percent), and malware (58 percent).

“This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices,” Mimecast Healthcare Cyber Resilience Strategist David Hood said in a statement. “It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Healthcare email security was also brought under scrutiny in a recent survey from the National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and Agari.  

The report analyzed Domain-based Message Authentication, Reporting & Conformance (DMARC), finding that 98 percent of top healthcare providers have not implemented the email authentication standard that aims to eliminate phishing emails.

The survey found that 57 percent of emails that are allegedly from the healthcare industry are fraudulent or unauthenticated, and that 92 percent of healthcare domains have been targeted by fraudulent email.

“The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members,” said Aetna CSO Jim Routh, who is also NH-ISAC Chairman.