Survey: Hackers usually seek financial information in healthcare attacks

Gaining financial information is the goal of most malicious actors trying to hack into the computer systems of healthcare organizations.

According to a news release, the 2021 HIMSS Healthcare Cybersecurity Survey found that financial information was targeted in 52 percent of healthcare organization hacks last year. A further 43 percent targeted employee information and 39 percent were seeking patient information.

Of the 167 healthcare cybersecurity professionals who responded to the survey, 67 percent say their organizations experienced significant security incidents in the last 12 months. When asked the severity of the most significant security incident in the last year, most, 35 percent, of the respondents said the attack was of medium severity. A further 32 percent say it was highly severe and 20 percent say it was low severity. A stunning 12 percent say they experienced a critically severe security incident, the survey says.

Malicious actors are relying heavily on phishing and ransomware attacks for the most severe attacks. Phishing was cited in 45 significant security incidents in the last 12 months while 17 percent cited ransomware. Breach or data leakage was cited 7 percent, negligent insider activity and social engineering attacks were cited in 5 percent of significant attacks, according to the survey.

General email phishing was the most prevalent form of the practice, with 71 percent of respondents reporting it, while spear-phishing was reported by 67 percent of respondents. Voice phishing or vishing and whaling were reported by 27 percent of respondents, while 23 percent reported business email compromise, the survey says.

While phishing reigns supreme as the initial point of compromise in the most significant security incidents, respondents also cited human error (19 percent), social engineering (15 percent), and legacy (unsupported) software (15 percent).

Despite the prevalence of these attacks, it seems that a large portion of them have little impact on the target. Of the most significant security incidents in the last 12 months, 44 percent of respondents say they had no impact or negligible impact on their organization. A further 32 percent of respondents say the most significant security incident saw their organization’s systems and devices being disrupted impacting their business operations. Meanwhile 17 percent reported a monetary loss, 4 percent report damage and destruction to systems and devices impacting clinical care, according to the survey.