Your sensitive health information is worth 10 times more to hackers than your credit card on the black market, reported Reuters in 2014.

According to a new KPMG cybersecurity report (PDF), 81% of healthcare executives surveyed said that their IT security has been compromised at least once in the past two years. Despite the regulatory and legal consequences of a data breach, the authors of KPMG’s report argued that the healthcare industry is behind others when it comes to cyberattack readiness and security technology capabilities.

“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,” said Michael Ebert, leader in KPMG’s Healthcare & Life Sciences Cyber Practice in the report’s press release. “A key goal for execs is to advance their institutions’ protection to create hurdles for hackers.”

And the key to advancing that protection, said KPMG in the report, is a “cohesive, coordinated strategy” for healthcare cybersecurity. Elements of a robust strategy (described in more detail below) include: a strategic redesign of IT architecture, a security team and ops center, greater executive awareness, and taking a broad security view of the enterprise — especially third parties.

The KPMG report is based on a survey of 223 US-based executives and was conducted by Forbes Insights. All organizations in the report (which include nonprofit and for-profit companies) had annual revenues over $500 million; 70% had revenues over $1 billion.

The report’s authors, Michael Ebert and Greg Bell, stated that healthcare organizations, in their experience, are seeing greater cyberthreats because of:

  • more digital patient records and automated clinical systems;
  • legacy electronic medical records (EMR) systems and clinical applications that were not designed for current networked environments;
  • distribution of protected health information (PHI) internally (laptops, mobile devices) and externally (third parties and cloud services);
  • the heterogeneous nature of networked systems and applications (e.g., IoT respirator pumps on the same network as registration systems with internet access); and
  • the worsening threat landscape in which cyberattacks are more complicated and persistent given the value of PHI on the black market.

According to KPMG’s survey, the greatest vulnerabilities that healthcare leaders see regarding data security for their organizations are:

  • external hackers (65%);
  • third-party data sharing (48%);
  • employee theft and breaches (35%);
  • wireless computing (35%); and
  • inadequate firewalls (27%).

In addition, the top five information security concerns for their organizations are:

  • malware infections in their IT (67%);
  • HIPAA violations and compromised privacy (56%);
  • internal employee risks such as theft and negligence (40%);
  • medical device security (32%); and
  • legacy IT hardware (31%).

“The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Ebert. Healthcare providers can have very thin profit margins due to regulatory enforcement issues and litigation. “A hospital typically has some tough choices when it comes to investing,” added Ebert. “If it has a million dollars it is more likely to spend on patient care and saving lives before protecting their data.”

Over the last 12 months, only 13% of respondents said they tracked more than 350 hacking attempts, roughly one per day. 38% tracked from 50 to 350 attacks, and a sizable 44% tracked less than 50 in that one-year span. The report stated that this is “indicative of organizations not understanding, tracking, reporting and managing threats effectively.”

KPMG believes healthcare organizations lack comprehensive incident response capabilities and are underreporting security threats. “They are probably compromised and don’t even know it,” explained Ebert. 25% of those surveyed said that they don’t have the ability to track cyberattacks in real time.

66% of healthcare payers (e.g., insurance companies, third-party payers) in the survey consider themselves “ready” against cyberattacks, though only 53% of healthcare providers indicated that level of confidence. KPMG countered that view with a survey result showing that 19% of healthcare providers do not have a staff member solely responsible for cybersecurity; that figure for healthcare payers is 8%. 23% of all respondents do not have a security operations center, which is a key component of a robust strategy according to the report.

86% of healthcare providers and 88% of payers invested in cybersecurity during the last 12 months. “That spending rate is probably underinvested considering that the threat to an organization has increased so much,” said Ebert, adding that if “spending on security is not part of a cohesive, coordinated strategy, those expenditures tend to be more wasteful than beneficial.”

The report’s authors recommend four main elements for an effective healthcare cyberstrategy:

  • Incorporation of cybersecurity in the technology and network architecture upfront, via strategic design. Current IT has evolved into interconnectivity, resulting in inadequate controls. Healthcare organizations need to redesign and rebuild their overall security plan.
  • A well-prepared and coordinated cybersecurity team and a security operations center. A healthcare organization also needs an infosec leader, instant monitoring capabilities, and the ability to manage breaches and communicate with relevant stakeholders.
  • Increased cybersecurity awareness and capabilities at all levels. Executives have to be fully knowledgeable about cyberrisks and security, and board members need to help out as well.
  • Taking a broad view of the organization when implementing cybersecurity. With all the business partners in play, healthcare organizations have become “extended value chains.” Third parties unfortunately carry a lot of cyberrisk; those vulnerabilities have to be identified and addressed.