According to a survey undertaken by Bloomberg Law and the American Health Lawyers Association where both corporate attorneys and in-house counsel were polled, 97 percent of respondents believe they will experience an increased involvement in cases involving cybersecurity; 57 percent said it will be a significant increase. Fifty-three percent of those surveyed believe that cyberattacks are where their clients are the most vulnerable. Employee negligence or insider threats ranked a close second, at 47 percent. But only a quarter of respondents said that the healthcare organizations they represented are “very prepared” to handle a cyberattack; 70 percent said they were “somewhat prepared,” with the remaining 5 percent not being prepared at all.
“While it is encouraging that healthcare attorneys are on the front lines of preparing for and responding to cyberincidents, it is apparent from this survey that there is much more that needs to be done,” Scott Falk, a vice president and general manager with Bloomberg Law, in a statement. “For example, there is overwhelming agreement from respondents that it is important to improve formal cybersecurity education and training for healthcare lawyers. Thus there is tremendous value in utilizing external resources and professional organizations that can meet this critical need.”
Healthcare continues to be the number one target for cyber-criminals. In another poll of 535 healthcare IT and IT security practitioners, 48 percent said their organization had a breach involving loss or exposure of patient information in the past year. They cited some of their biggest threats as system failures, unsecured medical devices, identity thieves and unsecured mobile devices.
Despite widespread publicity about insecure medical devices, however, only 27 percent of respondents said their organization includes medical devices in its cybersecurity strategy.
Other findings from this report include:
- Exploits of existing software vulnerabilities and Web-borne malware attacks are the most common security incidents.
- On average, organizations have an advanced persistent threat (APT) incident every three months, yet only 26 percent said their organizations have systems and controls in place to detect and stop them.
- Sixty-three percent of respondents said the primary consequences of APTs and zero-day attacks were IT downtime, followed by the inability to provide services. Forty-four percent said these incidents resulted in the theft of personal information.
- Only 33 percent of respondents rate their organizations’ cybersecurity posture as very effective.