Providers lag behind hackers in trying to protect data
Provider efforts to improve security remain underfunded and understaffed, according to Black Book Research in its annual look at healthcare’s threat environment.
The research firm surveyed nearly 2,500 security professionals from 680 provider organizations to identify vulnerabilities that continue to leave hospitals and physician practices open to attack. Nearly all—96 percent of the surveyed professionals—acknowledge that attackers continue to outpace providers in thwarting security.
Nearly all surveyed organizations had at least one breach since the third quarter of 2016, and half of them have had more than five breaches in that time period.
Still, providers underinvest in security. Tight budgets keep providers from buying newer and more secure software. “It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” explains Black Book founder Doug Brown.
Compounding the problem, when providers do invest in security, most decisions are made at the C-level without users or department managers having a say in the purchase decision. Only 4 percent of respondent organizations had a steering committee to evaluate cybersecurity options, and their decisions made may not be the right ones.
“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” Brown contends. “Cybersecurity is a newer line item for hospitals and physicians, and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”
Other findings of the study:
* 89 percent of surveyed CIOs bought their cybersecurity solution to be compliant, not necessarily to reduce risk when the IT decision was made.
* 83 percent of respondents have not had a cybersecurity drill with an incident response process.
* 57 percent are not aware of the variety of cybersecurity solutions that include mobile security, intrusion detection and attack prevention, as well as use of forensics and testing.
* 58 percent did not select their existing cybersecurity vendor prior to an incident occurring. “Providers are at a severe disadvantage when they are forced to hastily retain a cybersecurity firm in the midst of an ongoing incident as the ability to conduct the necessary due diligence is especially limited,” Brown asserts.
* 32 percent did not scan for vulnerabilities prior to an attack.
More survey results are available here.