New research suggests that despite extensive efforts to turn the tide, healthcare organizations continue to struggle with fending off cyberattackers, in part due to a dramatic shortage of security talent for hire.
The recent study surveyed 2,464 security professionals from 705 provider organizations to look at gaps, vulnerabilities and deficiencies in their employers’ security infrastructure which may leave them open to breaches by cybercriminals.
In theory, providers should have the means to protect themselves. According to the researchers, healthcare industry leaders expect to spend $134 billion on cybersecurity from 2021 to 2026, starting at $18 billion in 2021 and increasing 20% each year to almost $37 billion in 2026.
Despite this spending, however, 96% of IT respondents reported that data attackers continue to stay ahead of medical enterprises, with 82% of CIOs and CISOs of health systems in Q3 2020 agreeing that dollars spent are not being allocated effectively and are often only spent after breaches occur. Often, there’s never a full gap assessment of capabilities led by senior management outside of the IT department, the survey found.
One major reason for these failures of cybersecurity hygiene may be the dramatic shortage of healthcare security professionals to take the reins. When Black Book surveyed 291 healthcare industry human resources executives about the availability of cybersecurity candidates, it found that demand was far ahead of supply.
On average, Black Book found, cybersecurity roles in health systems take 70% longer to fill than other IT jobs. HR respondents said that it takes an average of 118 days to fill such positions, nearly three times as long as national averages for security experts in other fields.
The researchers also found that COVID-19 has substantially increased the risk of data breaches as remote work and cloud-based business operations become more common. With IT security departments becoming understaffed and underfunded, they’re struggling to address the massive growth in demand for remote services from patients and physicians, and at the same time, having trouble addressing an ongoing growth in security risks.
Researchers also noted that 90% of health systems and hospital employees who moved to work at home assignments in the wake of the pandemic didn’t receive updated guidelines or training on the risks resulting from accessing sensitive patient data remotely.
Compounding these problems, 40% of all clinical hospital employees reported getting little or no cybersecurity awareness training this year beyond education on log-in access. This dovetails with survey results from a Kaspersky study released last year which found that one-third of healthcare employee respondents had never gotten such training.
In response to these challenges, 59% of health system CIOs responding to the survey are shifting security strategies to address user authentication and access. This is in part because stolen and compromised credentials are ongoing issues for 53% of health systems, with hackers increasingly using cloud misconfigurations to breach networks.