Merlin International & Ponemon Institute Cybersecurity Study Signals Dangerous Diagnosis for Healthcare Industry

Attacks outpacing investments in personnel, education and resources; only half of executives confident of overall security posture

(Graphic: Business Wire)

VIENNA, Va.--()--Merlin International, a cybersecurity solutions provider for healthcare organizations, in partnership with the Ponemon Institute, a leading IT security research organization, today released the results of its 2018 Impact of Cyber Insecurity on Healthcare Organizations” study. Recognizing that hospitals and payer organizations (healthcare organizations or HCOs) are facing constant, increasingly destructive cyber attacks, this survey examines the myriad of cybersecurity-related challenges and how organizations are (or are not) addressing them. Results show the security stakes are high, with 62 percent of the 627 executives surveyed admitting to experiencing an attack in the past 12 months, and more than half losing patient data as a result.

According to publicly available data, breaches in the last year hit a new all-time high. Of five industries tracked, the Medical/Healthcare industry accounted for more than 23 percent of total breaches in 2017, resulting in the exposure of more than five million patient records. Only the business sector saw more successful attacks, with HCOs following second for the fourth year running.

Among healthcare providers surveyed, the majority set, manage and/or determine IT priorities, budgets and strategy while working at organizations counting between 100-500 patient beds (67 percent) and with an estimated ten thousand to one hundred thousand network connected devices (66%). A detailed categorization of survey respondents can be found in the full report.

Who is attacking? What do they want? How are they doing it?

Notably, organizations surveyed are equally concerned with external attacks (63 percent) as they are with employee negligence or malicious insiders (64 percent). And what are the bad guys after? When asked, respondents highlighted the top five items:

  • Patient medical records (77 percent)
  • Patient billing information (56 percent)
  • Log-in credentials (54 percent)
  • Passwords and other authentication credentials to systems, servers or applications (49 percent)
  • Clinical trial and other research information (45 percent)

Hackers eager to cause chaos, steal or hold data for ransom subject healthcare organizations to all types of attacks. The exploitation of existing software vulnerabilities greater than three months old leads the way at 71 percent, followed closely by Web-borne malware attacks at 69 percent. While the report finds many traditional attack types being used, the rise of ransomware - at 37 percent - should raise alarm as this is a new and lucrative attack vector. Hackers are successfully earning significant income from holding systems and data hostage.

Another concern is the security of medical devices. 65 percent surveyed responded “no” or “unsure” when asked whether the security of medical devices is part of their overall cybersecurity strategy. And though these devices appear to be a new and growing target for attackers, 31 percent have no plans to include them in the near future.

Education, Resources and Process...a Lack of

52 percent of those surveyed agreed that a lack of employee awareness and training affects their ability to achieve a strong security posture. In addition, 74 percent cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture. According to responses, only 51 percent of organizations have a dedicated Chief Information Security Officer (CISO) and 60 percent surveyed don’t think they have the right cybersecurity qualifications in-house.

On top of the lack of education, training and resources, only half of the organizations (51 percent) have any type of incident response program at all. This means half of all organizations have no process for the mitigation and remediation needed to respond to and prevent attacks from happening again or causing extensive damage. And with respondents noting that the average compromise costs roughly four million dollars - increasing investment in and attention to education, resources and process appears long overdue.

“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time,” said Merlin International’s Director of Healthcare Strategy, Brian Wells. “Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care.”

About Ponemon Institute:

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Merlin International

Merlin International is a leading provider of next-generation cybersecurity solutions that protect government and commercial organizations. Merlin offers a broad portfolio of solutions that secure the enterprise from end points to networks, from governance to risk management, from infrastructure to information. Combining solutions with deep industry expertise and experience, Merlin delivers the cybersecurity solutions that organizations need to protect their most critical business assets, while furthering their mission. Merlin is headquartered in Englewood, CO, with government and commercial operations in Vienna, VA.


Merlin International
Sherryl Dorch, 703-752-9971

Release Summary

Merlin International, in partnership with the Ponemon Institute, released the results of its healthcare cybersecurity study.


Merlin International
Sherryl Dorch, 703-752-9971