A new report has just been published, covering the current state of cybersecurity in the US healthcare sector. Considering the very public breaches of Anthem and other health insurers over the last year, the sector is particularly under scrutiny. Unfortunately the results are not very encouraging.

Of the 94 facilities surveyed, only 61% have a web application firewall in place and only 16.5% intend to implement one. 42% also don’t have any sort of DDoS protection solutions set up. Yet more worrying, is that 23% of those surveyed have no web security programs in place at all, half of which have 200 beds or more, making them a large facility, although just as likely to be attacked as any other.

HIMSS Survey

Surprisingly considering the above, 61% still responded that they somewhat agree, agree or strongly agree with the statement that their facility is adequately protected. Further to that, 30% ‘neither agreed nor disagreed’ that their facility, considering the sector it’s in, was a potential target for attacks.

Besides WAFs and DDoS protection, respondents were also asked if they had Content Delivery Networks or Cloud WAFs in place, only 21% had either. Unfortunately, the survey was limited to these four technologies and no information was collected about what other security mechanisms the facilities had in place. Neither has any information been given about whether any of these facilities had already detected an attack.

What this survey shows, overall, is the awareness of web security in the healthcare industry is lacking and that as yet, there don’t seem to be concrete plans in place to rectify this. It also calls into question whether such facilities take HIPAA compliance seriously as it appears many are unlikely to be compliant.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.