Email has been the biggest source of data breaches this year, with 73 breaches between Jan. 1 and the end of November reported to HHS, affecting 573,698 people.
Hospital staff seem to understand this, citing email as the most likely medium for a breach, according to a new survey from security firm Mimecast and HIMSS Analytics. They're not wrong: 4 in 5 U.S. physicians have had cyberattacks in their practices, according to an Accenture survey, and about 78% of respondents to the Mimecast survey said they'd had either a malware and/or ransomware attack in the last 12 months.
Nearly a quarter of respondents to the Mimecast survey said they'd had 16 or more malware and/or ransomware attacks in that time.
"This study confirms that no healthcare provider is immune to the growing threat of email-related cyberattacks," said Bryan Fiekers, senior director of HIMSS Analytics, in a statement.
That reality was reflected in respondents' concerns: Nearly all respondents to the Mimecast survey said email is "mission critical" to their organizations. "It's really a business issue to keep it up and running," said David Hood, cyber-resilience strategist in healthcare for Mimecast.
About three-quarters of those surveyed by Mimecast said their organizations are securing email as a way to fortify themselves against attacks. Almost all said they were trying to stop malware and ransomware attacks, and 91% said they were training employees for secure practices.
Large organizations were more likely than medium- and small-sized organizations to undertake these initiatives. "At these smaller organizations, they may not have the security infrastructure around email or the expertise in terms of security personnel to identify when they're attacked," Hood said.
To prevent cyberattacks, organizations must train their employees and give them easy-to-use tools, Hood said. "But you also have to recognize that no matter how much training you do, you can't solve for every problem with human beings in the chain and being involved in the decision to open the email and click on something," he said.
Nevertheless, Mimecast recommends training employees on email risks, analyzing email attachments, checking URLs, inspecting outbound emails and increasing resilience with backups.
"One of the key things is to embrace a more risk-based approach to security beyond just a check-the-box compliance perspective," said John Schoew, managing director of healthcare cybersecurity for Accenture. The organizations with the most sophisticated cybersecurity, he said, are being proactive, looking for anomalous activity before it can cause damage.
While providers are worried about protected health information getting breached, they're also concerned about sharing that data in the first place. Eighty-five percent of those surveyed by Accenture said digitally sharing protected health information is important, and two-thirds said that greater access to patient data would improve care.
As more and more data are stored digitally, more data are breached digitally as well. Breaches overall have been on the rise, with the number of breaches in 11 months of 2017 up 6.4% over the same period of 2016.
"It won't stop until that profitability and the percentage of those attacks that work become so much less that they have to morph," Hood said. "It's a little bit like squeezing a balloon and the air just goes to a different part of the balloon."