A KPMG survey shows that 47% of healthcare payers and providers experienced security-related violations or cyber-attacks that compromised data in 2017, yet 87% rated their readiness to defend at four or better on a five-point scale.
There are two types of payers and providers: Those who have been the victim of a cyberattack and those who will be. At least that’s a reasonable conclusion based on responses from senior leaders in the healthcare provider and payer sectors to the comprehensive 2017 KPMG Cyber Healthcare & Life Sciences Survey.
What gives?
Payers and providers must be in denial. That’s the only explanation for a group of more than 100 respondents from healthcare organizations of more than $500 million in annual revenue, 87 of whom said their organizations rated at least a four out of five in a gauge of organizational readiness to defend against a concerted cyber-attack. 35% rated their organizations as “completely ready” to defend against such attacks.
How can one rate his or her organization’s readiness so highly when 47% of those same respondents experienced security-related HIPAA violations or cyber-attacks that resulted in data loss or system compromise in the past 24 months?
It doesn’t make much sense.
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” KPMG Healthcare Advisory Leader Dion Sheidy said in a press release announcing the survey findings. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”
Despite rising threats, KPMG’s survey found that cyber security as a board agenda item has declined over the past two years (79% versus 87% in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior twelve months (66% versus 88% in the 2015 survey).
When asked to identify specific attack vectors that led to data loss or cyber-attack, external hacking of a vulnerability led the pack at 69%, while malware introduced to the system through human error followed closely behind at 60%. Other vectors included phishing emails (39%), a third-party device product or service (37%) and internal bad actors (19%).
Some 32% of attacks from those vectors resulted in ransomware being introduced into the organization’s environment, while 66% said they were able to catch the attack before that occurred.
Perhaps most chilling: Of the organizations that were infected with ransomware, 41% paid the ransom to regain their data.
Philip Betbeze is the senior leadership editor at HealthLeaders.