Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks

Share this article on:

A recent report from Black Book Research has revealed more than 90% of healthcare organizations have experienced a data breach since Q3 2016, yet IT security spending at 88% of hospitals remains at 2016 levels.

The data comes from a survey of more than 2,400 security professionals from 680 provider organizations. The aim of the study was to identify the reasons why the healthcare industry is particularly vulnerable to cyberattacks.

Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016.

There has been a marked increase in healthcare data breaches over the past three years, with cybercriminals and nation state-backed hackers increasingly targeting the healthcare industry. Even though cyberattacks are on the rise, healthcare IT security budgets are not increasing. It is proving difficult to find the necessary money to make significant improvements to cybersecurity defenses since cybersecurity does not generate revenue. Part of the problem is a lack of funds to replace vulnerable legacy systems and devices. There simply isn’t the money available to commit to such an undertaking.

96% of IT professionals believe that threat actors now have the upper hand and medical enterprises are not identifying and addressing vulnerabilities quickly enough. Each year security posture should improve as cybersecurity programs mature, but that does not appear to be the case in healthcare. Only 12% of respondents believe their security posture will improve in 2019, and 23% of provider organizations believe their security posture will be worse next year.

Money is being spent on cybersecurity solutions, although all too often solutions are purchased blindly, with IT departments lacking vision or discernment. The study revealed 92% of data security product and service decisions have been made at the C-suite level, with department managers having no input into purchasing decisions.

89% of surveyed CIOs said they purchased cybersecurity solutions to meet compliance requirements rather than to reduce risk. When cybersecurity solutions are purchased, it is rare for the effectiveness of those solutions to be evaluated. Only 4% of organizations surveyed had a steering committee that evaluated the impact of investments in cybersecurity.

Healthcare providers appear to have realized the benefits of appointing a chief information security officer (CISO) yet recruiting a suitably qualified person to fill the position is proving difficult. As a result of the inability to recruit staff, 21% of healthcare providers have turned to MSPs to provide security-as-a-service or have outsourced security to partners and consultants.

Engaging the services of a cybersecurity vendor prior to an attack allows hospitals to negotiate the best deal; however, many hospitals have been placed at a severe disadvantage by seeking help from third parties following a cybersecurity incident. 58% of hospitals only chose to outsource security following a cybersecurity breach.

While scanning for vulnerabilities allows healthcare organizations to identify and address weaknesses to prevent data breaches, 32% of healthcare organizations did not perform a scan prior to suffering a cyberattack.

A fast response to a cyberattack can greatly limit the harm caused, although detecting cyberattacks and data breaches remains a major challenge. 29% of healthcare organizations lack a security solution that allows them to instantly detect and respond to a cyberattack.

While most hospitals have developed an incident response plan, 83% of surveyed healthcare organizations have not performed a cybersecurity incident drill to test the effectiveness of their incident response plan. Without testing, it is not possible to tell how effective the plan will be.

A lack of security objectives in strategic and tactical plans, insufficient funding, poorly chosen cybersecurity solutions, and a reactive rather than proactive cybersecurity strategy makes the healthcare industry particularly prone to attack. Until changes are made to address all of those areas, the healthcare industry will remain particularly vulnerable to attack and cyberattacks are likely to continue to increase.

Author: HIPAA Journal

Share This Post On