As cyber risks grow, provider preventive measures still falling short

Hospitals are ramping up spending on cybersecurity, but physician practices have scaled back their investments on protecting data.

Despite all these protection efforts, healthcare data breaches likely will cost the industry as much as $4 billion by the end of this year, and 2020 is likely to be even worse, contends an industry research firm.

Black Book Market Research released an annual report on data security Monday, identifying provider organizations as the most likely target for breaches in the industry—thus far in 2019, providers have suffered nearly four out of five breaches. By contrast, health insurers and plans were targeted less often. Insurers have stepped up data protection efforts by implementing more sophisticated information security solutions.

For its report, Black Book surveyed nearly 2,900 security professionals from 733 provider organizations to identify gaps, vulnerabilities and deficiencies in cybersecurity practices.

HDM-053119-breach.png

Hospital systems expenditures on protections as part of IT budgets rose 6 percent in 2019, researchers say. Protective efforts by physician organizations have decreased since 2018, and 92 percent lack full-time security staff, the research organization contends.

The reason behind healthcare organizations’ growing security efforts is obvious—more than 93 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and 57 percent reported that they’ve had more than five data breaches during the same time period, Black Book’s research found.

External hacking was the cause of more than half (53 percent) of all provider breaches, respondents said.

But spending on cybersecurity will face pressure from other spending in healthcare organizations, even as the rise in successful attacks by both criminal and nation-state-backed hackers is expected to continue.

Budget constraints have put the brakes on the practice of replacing legacy software and devices, leaving enterprises more susceptible to attacks, the researchers contend.

“It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” says Doug Brown, founder of Black Book. According to 90 percent of hospital representatives surveyed, IT security budgets have remained level since 2016.

As a percentage of the IT budgets of health systems and hospital organizations, cybersecurity expenditures have increased to about 6 percent of the total annual IT spend for 2020. However, respondents from physician organizations and groups predict a decrease in actual cybersecurity expense, with less than 1 percent of their IT budgets earmarked for cybersecurity in 2020.

In 2019, 21 percent of hospitals surveyed report having a dedicated security executive, although only 6 percent identified that individual as a chief information security officer (CISO). Only 1.5 percent of physician groups with more than 10 clinicians in the practice report having a dedicated CISO.

The estimated cost of a data breach by the respondent hospital organizations with actual breaches in 2019 averaged $423 per record.

The shortage of healthcare cybersecurity professionals is forcing a rush to acquire services and outsourcing at a pace six times more than cybersecurity products and software solutions, increased 40 percent from last year. Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.

However, providers are making progress in firming up their cybersecurity strategies. Only 41 percent of healthcare enterprises have not formally identified specific security objectives and requirements in a strategic and tactical plan, down from 60 percent the previous year. “Without a clear set of security goals, providers are operating in the dark and it's impossible to measure results,” Brown contends.

For reprint and licensing requests for this article, click here.