Roughly eight out of 10 health information technology leaders recently surveyed say their provider or insurance organizations suffered a cyberattack that compromised their computer systems in the past two years, according to the consulting group KPMG.
Only 16% of the 223 executives who participated in the survey said their organizations had not been compromised in the past 24 months while another 3% were unsure.
The percentage, 81%, with breached systems could be even higher if the remaining 19% are like most health IT leaders, said Michael Ebert, head of KPMG's health and life sciences cyber practice.
“I would argue that many of the providers aren't even aware that their systems have been compromised,” Ebert said. “They don't necessarily know who's in their systems or what's occurred.”
One in four respondents said, based on their knowledge of their organization's defenses, they don't have or don't know their capabilities to detect, in real time, whether their organizations are being compromised.
Malware, chosen by 65% of respondents, and botnets, selected by 26%, were the most commonly mentioned external attack vectors, while internal sources of attack were cited by 26% (respondents could select more than one). All three types of attacks occurred more or less with the same frequency for providers and payers.
Forbes Insights conducted the survey for KPMG. It queried chief information officers, chief technology officers, chief compliance officers and chief security officers at 161 providers and 101 health plans. Leaders from integrated delivery networks were double counted as coming from a provider and a health plan. All had revenue of at least $500 million; 70% had revenues of more than $1 billion.
Most healthcare organizations lag behind other industries in terms of the money and effort spent on cybersecurity, Ebert said.
“There are some very good actors (in healthcare) that have invested in people, processes and technology, but the industry is so far behind, you still have a large percentage that are not investing,” he said. And it takes all three, he said. “You can buy all the technology in the world and that won't help unless you have the people and processes in place to use that technology.”
To catch up with other industries, Ebert recommends healthcare leaders make a three- to five-year commitment to improve cybersecurity. Historically, health IT talent has been in short supply, and data security professionals have been no exception.
Fortunately, the talent pool is growing, said Ebert, who heads cyber recruiting for KPMG.
The military has developed information security experts and a number of universities have “stepped up” and developed top-quality data security programs, including Carnegie Mellon, Drexel, Penn State, Rutgers, Temple, the University of Delaware and the Massachusetts Institute of Technology. All have done “a wonderful job of attracting talent and training talent,” he said.
Recently, television programs and movies in which computer geeks are often positively portrayed, sometimes heroically, have been a boon to recruitment, sparking the interest of a lot of young people, he said.
“I have a kid behind my house that was challenged by a high school teacher to hack their internal grade system and he did it in three days,” Ebert said. “They hired that kid to run their systems while he's still in high school. You're seeing a lot of youth with energy and channeling it into the cybersecurity.”