Survey Finds Widespread Cybersecurity Impacts on Healthcare

Almost two-thirds of survey respondents report having suffered from a security incident in the last year, and three in four would welcome federal assistance.

The College of Healthcare Information Management Executives (CHIME) (@CIOCHIME) and Association for Executives in Healthcare Information Security (AEHIS) (@AEHISecurity) fielded a survey of its membership’s Chief Information Security Officers (CISOs) to determine the impact cybersecurity incidents had on healthcare in the last year, finding widespread impacts on organizations and the need for more education and resources.

Cybersecurity threats and attacks have steadily increased over the course of the COVID-19 pandemic. This concerning trend indicates that the nation’s healthcare systems remain squarely in the crosshairs of sophisticated threat actors. Congress and the Executive Branch have begun the process of shoring up the nation’s critical infrastructure against cyberthreat actors but have often left healthcare on the periphery of their discussions. The survey from CHIME and AEHIS confirms the need for healthcare to have a seat at the table as one of the most vulnerable and often-targeted pieces of critical infrastructure.

“From this survey it is clear that healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said AEHIS Advisory Board Chair Will Long. “More resources, education, and ongoing support for our sector are needed.”

Only one-third of the surveyed CISOs indicated they had suffered no security impacts in the past 12 months, with almost half reporting they had been impacted by a phishing email or business email compromise and almost 30% saying they’d faced a system or electronic health record (EHR) outage. Most concerning, 15% of respondents reported a patient safety incident tied to a cyber event, and 10% experienced the need to divert patients to another care setting, a trend that has continued to rise in recent years.

One anonymous respondent bleakly reported, “There is no end in sight for the growth of cyber risk and [the] exploitation of critical infrastructure.” Another stated that reporting requirements and other pressing issues are impacting their ability to secure their systems, “We are overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable.”

As Congress deliberates additional ways to support critical infrastructures, including the healthcare sector, responses from the survey point to a strong need for greater support and education from federal authorities. Only 37% of respondents were aware that Congress passed a law in January that gives credit for the use of cybersecurity best practices and over 70% stated they needed additional assistance in the form of federal aid or assistance from a regional extension center with cyber expertise.

As healthcare providers continue to fight these attacks, it is also notable that survey responses confirm the cost of cyber insurance is increasing. Over 80% of respondents reported the costs of their cyber insurance increased over the past year, with one-in-six seeing an increase of 100% or greater and over 20% seeing an increase as high as 50%.

With providers facing an exponentially increasing number of attacks and an increase in the cost of insurance to protect themselves, it is clear now, more than ever, that Congress and the Executive Branch must work to give providers the resources, education and funding they need to ensure that our healthcare system is protected against these pervasive and persistent attacks.

To achieve this, strong collaboration between the public and private sectors will be absolutely necessary.

View more information on the survey and additional findings.

The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs), chief innovation officers (CIOs), chief digital officers (CDOs) and other senior healthcare IT leaders. With more than 5,000 members in 56 countries and over 160 healthcare IT business partners and professional services firms, CHIME and its three associations provide a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate, exchange best practices, address professional development needs and advocate the effective use of information management to improve the health and care in the communities they serve.

The Association for Executives in Healthcare Information Security (AEHIS) launched in 2014 as the first professional organization serving healthcare’s senior IT security leaders. AEHIS offers CISOs and other top-ranking information security leaders the professional development and networking opportunities critical for their success. Members have access to educational resources and support for addressing key industry specific privacy and security issues.

Formed under the auspices of CHIME, the premier executive organization dedicated to servicing Chief Information Officers (CIOs) and other senior healthcare IT leaders, AEHIS benefits its members as it upholds CHIME’s 29-year history of delivering valuable, high-quality executive education and networking opportunities.