HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare IT Security Budgets Frozen Despite Increase in Cyberattacks

A recent report from Black Book Research has revealed more than 90% of healthcare organizations have experienced a data breach since Q3 2016, yet IT security spending at 88% of hospitals remains at 2016 levels.

The data comes from a survey of more than 2,400 security professionals from 680 provider organizations. The aim of the study was to identify the reasons why the healthcare industry is particularly vulnerable to cyberattacks.

Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016.

There has been a marked increase in healthcare data breaches over the past three years, with cybercriminals and nation state-backed hackers increasingly targeting the healthcare industry. Even though cyberattacks are on the rise, healthcare IT security budgets are not increasing. It is proving difficult to find the necessary money to make significant improvements to cybersecurity defenses since cybersecurity does not generate revenue. Part of the problem is a lack of funds to replace vulnerable legacy systems and devices. There simply isn’t the money available to commit to such an undertaking.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

96% of IT professionals believe that threat actors now have the upper hand and medical enterprises are not identifying and addressing vulnerabilities quickly enough. Each year security posture should improve as cybersecurity programs mature, but that does not appear to be the case in healthcare. Only 12% of respondents believe their security posture will improve in 2019, and 23% of provider organizations believe their security posture will be worse next year.

Money is being spent on cybersecurity solutions, although all too often solutions are purchased blindly, with IT departments lacking vision or discernment. The study revealed 92% of data security product and service decisions have been made at the C-suite level, with department managers having no input into purchasing decisions.

89% of surveyed CIOs said they purchased cybersecurity solutions to meet compliance requirements rather than to reduce risk. When cybersecurity solutions are purchased, it is rare for the effectiveness of those solutions to be evaluated. Only 4% of organizations surveyed had a steering committee that evaluated the impact of investments in cybersecurity.

Healthcare providers appear to have realized the benefits of appointing a chief information security officer (CISO) yet recruiting a suitably qualified person to fill the position is proving difficult. As a result of the inability to recruit staff, 21% of healthcare providers have turned to MSPs to provide security-as-a-service or have outsourced security to partners and consultants.

Engaging the services of a cybersecurity vendor prior to an attack allows hospitals to negotiate the best deal; however, many hospitals have been placed at a severe disadvantage by seeking help from third parties following a cybersecurity incident. 58% of hospitals only chose to outsource security following a cybersecurity breach.

While scanning for vulnerabilities allows healthcare organizations to identify and address weaknesses to prevent data breaches, 32% of healthcare organizations did not perform a scan prior to suffering a cyberattack.

A fast response to a cyberattack can greatly limit the harm caused, although detecting cyberattacks and data breaches remains a major challenge. 29% of healthcare organizations lack a security solution that allows them to instantly detect and respond to a cyberattack.

While most hospitals have developed an incident response plan, 83% of surveyed healthcare organizations have not performed a cybersecurity incident drill to test the effectiveness of their incident response plan. Without testing, it is not possible to tell how effective the plan will be.

A lack of security objectives in strategic and tactical plans, insufficient funding, poorly chosen cybersecurity solutions, and a reactive rather than proactive cybersecurity strategy makes the healthcare industry particularly prone to attack. Until changes are made to address all of those areas, the healthcare industry will remain particularly vulnerable to attack and cyberattacks are likely to continue to increase.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.