HIMSS Media on behalf of Mimecast recently published a study which revealed that for the past 12 month period, 90% of healthcare organizations have encountered a minimum of one email-based threat. While 72% have suffered downtime because of this and one-fourth said the attacks were very or extremely disruptive.
The primary target of cybercriminals are healthcare organizations because of the big quantities of personal and health information that could be employed for various fraudulent transactions. Email-based attacks are very easy to carry out because healthcare email security defenses are poor compared to other industry sectors and security awareness training is usually overlooked.
The study conducted in November 2019 had 101 participants that had a substantial engagement with email security at U.S. hospitals and health systems. 3 out of 4 respondents stated they have or are about to kick off an extensive cyber resilience program, however, just 56% of respondents stated they already have this type of plan in place. When questioned about their present email security deployments, merely half had a high level of certainty that their email security procedures would prevent email-based threats.
When asked regarding the email threats that were the most disruptive, here are the results:
- 61% of respondents stated that impersonation of trusted sellers
- 57% said credential-harvesting phishing attacks were very
- 35% mentioned data leaks and threats started by cybercriminals stealing the log-in credentials of users
The major losses attributable to the attacks were
- productivity (55%)
- data (34%)
- financial (17%)
Email security options can prevent most threats, however, merely 79% of respondents claimed that they had set up email security controls or were considering launching them. Internet and internet protection procedures were only implemented by 64% of surveyed healthcare companies.
These technical tools are essential, however, it is essential not to neglect the human component. Merely 73% of surveyed organizations considered security awareness training as an important part of their defenses against email-based cyberattacks. This can partially be explained by how that training is presented. 40% of respondents said they have security awareness training around quarterly and just 27% give training annually.
It is startling thinking about the amount of email-based attacks that 11% of respondents stated they perform security awareness HIPAA training less often than once annually, only during onboarding, or only after a large event like a phishing attack or data breach.
To better plan, information technology and security experts need to reinforce their email security systems by merging the best technical controls with well-informed employees and strong business processes to prevent disruption from email-related attacks.