Providers’ vulnerability to email-borne malware is still high
Despite widespread understanding that emails are at risk of containing malware payloads that can subvert information security systems, that message is not getting through to staff at healthcare organizations.
A new survey demonstrates just how often providers continue to be fooled, underscoring the likelihood that a surprising number of staff and clinicians are at high risk of unknowingly clicking on suspect email attachments.
“We’re just coming out of what was a very bad year, and we still have an industry where it will only get worse,” concludes David Hood, resilience strategist at Mimecast, a cloud-hosted platform vendor, which sponsored a study by HIMSS Analytics on security issues, based on research involving 76 information technology professionals responsible for data security at a variety of provider organizations.
Email-related cyberattacks remain so prevalent that 78 percent of respondents experienced an attack in the form of ransomware or malware—or both—in the past year. Some experienced more than a dozen such cases. Large hospitals, for example, have seen a 63 percent increase in attacks.
While 30 percent of responding healthcare organizations reported one or two attacks in the past year, a quarter of larger facilities experienced 16 or more incidents.
Some 28 percent of smaller providers surveyed did not know how many incidents of malware or ransomware they had, and five percent of medium and large organizations also did not know.
In the study, 83 percent of provider respondents said they viewed ransomware as the most concerning type of email-related threat. In addition, 93 percent of respondents rate email as mission critical to their organizations, and 80 percent use email to send protected health information to other institutions, Hood says.
Almost half of respondents say their organization cannot adequately function if email communication is disrupted.
Many organizations have ramped up cybersecurity training of employees in the past year, emphasizing the need to think carefully before clicking on an attachment, yet 15 percent of employees still will click if the email is about getting the holiday schedule, or a salary list or something else of personal interest, Hood cautions.
“It only takes one click to get the attacker to start searching for data. Hackers can craft very believable emails. We will continue to see ransomware attacks because many providers are willing to pay if the ransomware affects patient care.”