Health Leaders Worry About Third-Party Risk, IoT Security

If a new survey is any indication, healthcare executives may be more worried about Internet of Things vulnerabilities and third-party vendor performance than any other security issues.

The survey data, which was conducted by cybersecurity firm CynergisTek, reached out to about 60 C-level healthcare executives attending the security vendor’s cybersecurity conference. The conference took place in back in May.

When asked about their immediate concerns, 40% of execs reported that third-party risk was the biggest worry, followed by insider threats (27%), social engineering and phishing (27%) and hacking (7%). Despite their worries about these third-party vendors, just 60% of respondents said they were doing both pre- and post-acquisition evaluation of vendors.

When it came to emerging threat areas such as 5G, AI, IoT and supply chain issues, more than 50% said they were most concerned about IoT-related breaches. Meanwhile, almost one-third of respondents reported that medical device security was one of the top five risks facing healthcare organizations.

At the same time, though, few reported having an effective strategy in place to assess medical device vulnerabilities, and 26% said they had no assessment process in place at all for these devices. Also, nearly half of organizations said they’d only conducted an incident response exercise just once or had never held one at all.

When asked about barriers they faced to meeting privacy and security challenges, 54% reported that a lack of resources such as tools, money or people is the biggest issue, while 13% cited a lack of senior management buy-in. At the same time, though, 40% of the healthcare execs said they didn’t know if the boards were more or less involved with cybersecurity and privacy programs than in the past.

What would hold them back from retaining cybersecurity professionals to protect their organizations? ‘Culture’ was the top difficulty they cited, occupying a higher place than compensation and training.  To change the culture, the execs said that they need to establish greater accountability (39%) and address the “old habits die hard” phenomenon (39%).  A smaller number (18%) said a lack of resources was an issue, and just 4% named a lack of executive support as a concern.

Meanwhile, when asked how prepared the organizations were for new privacy rules and regulations such as recent state laws addressing individuals’ personal information, 40% reported being moderately prepared, 41% unprepared and 11% unaware of new privacy rules and regulations.

As we reported last month, a recent study found that two years after WannaCry, many health IT pros seem to have gotten their groove back, with 92% of the 600+ health IT pros reporting that their organizations were prepared to respond to a cyber-attack.  Though I certainly don’t speak for CynergisTek, by my reading its data suggests their confidence may be a bit misplaced.


About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.