85% of hospitals experienced ‘vendor disruption’ in last year, as most brace for cyberattack inevitability, report shows
A new report from a cybersecurity firm looking at the healthcare industry reveals that the vast majority of medical practices (85%) experienced “at least one operational disruption” linked to a third-party vendor, in most cases one seen as critical to operations.
All the same, 70% of leaders told Omega Systems that they are “confident in their vendors’ cybersecurity posture,” though most (63%) admitted they do not monitor their digital supply chains, meaning they are not keeping tabs on data security policies related to critical services such as the electronic health record.
It isn’t until something goes wrong that they pay attention, the cybersecurity group added. This visibility gap is even more concerning when you consider that 61% of provider groups who responded to a survey said they are expecting a “fatal cyberattack” to occur in the next five years that will cripple patient care operations.
Omega Systems said this trend points to a passive cybersecurity posture at healthcare organizations, where 62% are still treating issues related to data security compliance as a “technical line item rather than a patient-safety priority.”
“Fifty-two percent of practices have no managed security service provider (MSSP), and 39% manage cybersecurity entirely in-house,” the firm wrote in its analysis. “Thirty-five percent say this leaves their teams understaffed, and 23% describe their technology as antiquated.”
This is despite positive responses from practices that do partner with an outside MSSP. Of them, 42% have access to managed threat detection and 35% have deployed advanced firewalls.
These capabilities, and others, will reduce downtime and allow practices to respond to threats more quickly, Omega Systems said.
Unpatched, outdated IT systems
Zooming out, the security posture across the healthcare space is lacking. Eighty percent of medical practices were found to have gaps in their recovery plans. Further, 31% are still operating legacy systems known to be vulnerable to breaches.
They are also less than honest about compliance in many cases. Omega Systems said in its report that 60% of leaders assert they are compliant with HIPAA regulations, despite leaving systems unpatched and potentially open to breaches.
When a breach occurs that causes EHR downtime, negative outcomes include frozen revenue streams, loss of medical record access and potential malpractice liabilities.
In 25% of cases, Omega Systems said these breach victims are forced to shut down operations altogether after the incident is resolved.
The full report from the firm can be found by clicking here.
