Sign in

HIMSS survey shows significant security incidents

By: Lisa Marlin

March 13, 2018

The annual HIMSS cybersecurity survey released March 8 revealed that nearly 76 percent of health information security professionals believe their organizations experienced a significant security incident in the past 12 months. HIMSS polled 239 healthcare leaders between December 2017 and January 2018 and the results of that survey definitely showed room for improvement across the board. Here are some key points:

Top threat actor
Survey respondents characterized the top threat actor for recent significant security incidents as the online scam artist involved in activities such as phishing and spear phishing (29.6%). Still others indicated that negligent insiders were responsible for the most significant security incident (16.4%) or hackers (15.9%).

Initial point of compromise
The majority (61.4%) indicated that the initial point of compromise was via e-mail (e.g., phishing e-mail). Yet 12.7% indicated that the initial point of compromise was in the “other” category that ranged from web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error. Still, 11.6% respondents indicated that they did not know the initial point of compromise.

Discovery of attack
The majority of respondents (47.1%) indicated that it took less than 24 hours for their organizations to discover the attack in regard to their organizations’ most recent significant security incident in the past 12 months, while 13.2% of respondents indicated it took 1 to 2 days, and 7.4% of respondents indicated it took 3 to 7 days.

Security risk assessments
The majority (45.5%) also indicated that their organizations conduct security risk assessments once every year. Incidentally, this showed no significant improvement from the 2017 survey. Other respondents indicated shorter time frames for security risk assessments such as daily (9.6%), once a month (9.0%), once a quarter (10.7%), and once every six months (5.6%).

Security awareness training
Most respondents stated that their organizations conduct security awareness training yearly (51.8%) while less than half of that indicated that they conduct such training monthly (22.9%). As agreeably stated in the HIMSS report, “While it is good news that many healthcare organizations are conducting security awareness training on a regular basis, conducting security awareness training only once a year may not be enough. Individuals attending the training may not necessarily retain the knowledge during the rest of the year. Thus, more frequent security awareness training may be desirable.”

Based on the entirety of the survey, “desirable” might more appropriately be stated as “necessary.” Contact the experts at PrivaPlan at and learn how we can help you with a security risk analysis, security awareness training, phishing tests and more. We’re 100% here for you.