While their leaders know the potential of a breach remains high, few hospitals are focused on methodically beefing up their cybersecurity as of yet, according to a new survey.
The survey, which was conducted by Black Book Market Research, connected with 2,876 security professionals from 733 provider organizations to discuss gaps, vulnerabilities and deficiencies they see in their cybersecurity plans.
This year, just 41% said they hadn’t formally identified specific security objectives and requirements in a strategic and tactical plan, a big improvement from 60% in 2018. In addition, 27% of hospitals reported that a Q3 2020 assessment of their cybersecurity efforts will show improvement.
However, nearly all of the respondents (96%) agreed that data attackers are getting ahead of them, with 93% of healthcare organizations having had a data breach since Q4 2016 and 57% having had more than five data breaches during that period.
Eighty-seven percent of respondents hadn’t had a cybersecurity drill with an incident response process, and as of Q3 2019, 84% of hospitals and 65% of payer organizations didn’t have full-time cybersecurity employees on board. Despite this ongoing threat, 90% of hospital respondents reported that their IT security budgets had remained level since 2016.
Another major concern explored in the survey that many hospitals don’t have a well-developed procedure in place for making cybersecurity investments. The survey found that since 2016, 92% of respondents’ data security product and service decisions were made at the C-level and didn’t include any users or affected department managers. Also, just 4% of organizations had put a steering committee in place to evaluate the impact of their cybersecurity investments, Black Book found.
This may be in part because security doesn’t inform top-level decision making in hospitals. In 2019, just 21% of hospitals surveyed said they had a dedicated security executive in place, and just 6% identified that person as a Chief Information Security Officer.
In addition, 70% of IT management respondents to the survey reported that their operations weren’t well-versed in the variety of cybersecurity solutions that exist, especially mobile security environments, intrusion detection, attack prevention, forensics and testing. This is allowing some vendors to drive the whole process of cybersecurity improvement, with 20% of respondents noting that they felt intimidated by a vendor to address vulnerabilities or security flaws they had identified.
Also, 58% of hospitals didn’t select their current security vendor before they faced a cybersecurity incident, and 94% hadn’t built up their cybersecurity efforts since their last breach. This lack of preparation and/or response to such incidents may be contributing to hospitals’ continued struggles to reduce their vulnerability to breaches.