Four-fifths of U.S. health-care executives say their information technology has been compromised by hackers, a symptom of the sector’s lack of investment in cyber security, according to a new survey.
KPMG said in the report accompanying the survey results that health-care organizations are at increased risk for a cyber attack because of the “richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle.” Information that is stolen can be used for financial and medical insurance fraud.
But despite the “significant repercussions” of an intrusion, KMPG said, the health care sector lags other industries in terms of its preparedness, with only 53% of providers and 66% of payers considering themselves ready to defend against attacks.
“The magnitude of the threat against health care information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, a KPMG partner and health care leader at the firm’s cyber practice.
According to Ebert, a large percentage of organizations are actually under-reporting security threats. In fact, 25% of the survey respondents said they either don’t have or don’t know their capabilities, in real time, to detect if their organization’s systems are being compromised.
The report says there are vulnerabilities in the way health care organizations fund, manage, enable, organize, and implement their IT protection capabilities. Clinical technology is outdated, network-enabled medical devices are insecure, and there is an overall lack of information security management processes, KPMG said.
Threats include the ease of distributing electronic protected health information and the heterogeneous nature of networked systems and applications. A network-enabled respirator, for example, may pump on the same network as registration systems that can browse the Internet.
Some providers still rely on Windows 7 and XP because certain updates to their technology would require Food & Drug Administration approval, Ebert noted.
The primary focus of health care organizations “is on care, but they also have to spend the right amount to protect their environment,” he told SC Magazine.