Getty Images

42% of Healthcare Organizations Do Not Have Incident Response Plans

Almost half of surveyed healthcare organizations have not implemented an incident response plan in preparation for a cyberattack, research shows.

Over 40 percent of surveyed healthcare organizations have not yet implemented an incident response plan to account for the constant threats of phishing, ransomware, and cybersecurity vulnerabilities that plague the industry, according to a report by Shred-it, a security service provided under Stericycle.

Despite half of healthcare organizations not having an incident response plan, healthcare was significantly more likely to have an incident response plan compared to every other surveyed industry, including finance, insurance, and real estate.

However, the healthcare sector faces a disproportionate number of data breaches and cyberattacks, which has only been exacerbated by the pandemic. In addition, the healthcare sector is unique in that patient safety is at stake if an organization is underprepared for a data breach.

“In 2020, there was a 73% increase in the number of confirmed data breaches in the healthcare industry,” the report stated.

“These incidents exposed 12 billion pieces of protected health information (PHI). Within this context, healthcare organizations would be well advised to continue their vigilance.”

Over 56 percent of healthcare respondents said that their organization had experienced at least one data breach in the past. Over a quarter of respondents from the healthcare sector reported experiencing a data breach within the last 12 months alone.

While three-quarters of healthcare respondents aid that information security is a top priority for their organizations, only 33 percent reported performing vulnerability assessments, and 48 percent undergo regular infrastructure auditing.

Results revealed that significant improvements must be made in terms of healthcare cybersecurity efforts, but healthcare fared well compared to other surveyed industries in some categories. For the finance industry, only 40 percent of respondents stated that information security was important to their company, compared to 75 percent of healthcare respondents.

The finance industry does not face the threat of risking patient safety but is equally vulnerable in terms of being a lucrative cyberattack target.

Over 60 percent of healthcare respondents reported believing that a data breach would be costly for their organization, and 61 percent said that their organization has hired a third-party security expert to evaluate security practices. Healthcare data breach costs have skyrocketed since the onset of the pandemic, costing on average $9.23 million per incident.

In addition to costly recovery expenses, over half of healthcare respondents reported feeling that a data breach would have a major impact on their organization’s reputation.

Four out of ten surveyed business leaders rated the risk of a data breach in the next 12 months as a four or five on a five-point risk scale, showing that organizations are very aware of the likelihood of a breach. While 40 percent of total breaches were caused by external partners, nearly a quarter of breaches were the result of employee error, showing an increased need for employee cybersecurity training across all industries.

Across all surveyed sectors, 62 percent of respondents said that a data breach had resulted in an executive resignation or termination. Many more reported legal issues, financial losses, damage to reputation, and staff termination.

The report concluded that organizations should develop a comprehensive incident response plan, employ a data minimization strategy, embrace the cloud, and invest in endpoint detection and response technology in order to mitigate risk.

Next Steps

Dig Deeper on Cybersecurity strategies