- Without the right healthcare cybersecurity roles being filled at covered entities, it can be more difficult for organizations to ensure that sensitive data remains secure. Along with CISOs, privacy officers, and compliance officers, entities must ensure that all staff members are properly trained in the latest cybersecurity trends.
A recent survey indicates though that healthcare might not be putting enough of a focus on cybersecurity needs.
Eighty-four percent of healthcare organizations do not have a cybersecurity leader, according to results from a Q4 2017 Black Book survey. Additionally, just 11 percent stated they plan to get a cybersecurity officer for 2018.
Black Book surveyed 323 strategic decision makers at US healthcare organizations, including providers and payers.
The survey also found that only 15 percent of organizations have a chief information security officer (CISO) currently in charge.
"The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," Black Book Managing Partner Doug Brown said in a statement. “Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge."
One-third of payers surveyed said they currently have an established cybersecurity program manager, and 44 percent reported they planned to recruit a candidate for the role in 2018.
Just over half of all respondents said they do not conduct regular risk assessments, while 39 percent stated they do not conduct regular firewall penetration testing.
Nearly all surveyed C-suite members – 92 percent – said potential data breach threats and cybersecurity itself are still not key focus areas for their boards of directors.
Additionally, 89 percent of respondents said their 2018 IT budgets were dedicated to business functions with provable business cases. “Only a small fraction” was being saved for cybersecurity, the survey found.
A lack of cybersecurity skills though is a larger problem, with healthcare just one industry that is being affected.
A November 2017 survey from the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) showed that 62 percent of cybersecurity professionals believe their organizations are falling behind in providing an adequate level of training. Seventy percent stated that the cybersecurity skills shortage has affected their organization.
ISSA and ESG surveyed over 300 information security professionals in numerous industries.
“We are not making progress, cyber security professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous,” said ESG Senior Principal Analyst Jon Oltsik. “It is clear that the solution must be about more than filling jobs. It is about creating an environment from the top down of cyber security as a priority.”
The cybersecurity skills shortage is an “existential threat” to national security, added Oltsik, who also authored the report.
The ISSA and ESG survey also found that 45 percent of organizations experienced at least one security event over the past two years. The majority of those surveyed – 91 percent – also believe that most organizations are vulnerable to a significant cyberattack or data breach.
A lack of adequate training of non-technical employees (31 percent) and a lack of adequate cybersecurity staff (22 percent) were listed as the top two contributing factors to cyberattacks or data breaches.
Thirty-one percent of respondents also said there was a shortage of security analysis and investigations skills, while 31 percent cited an application security skills shortage. Twenty-nine percent of those surveyed said there was a lack of cloud computing security skills.
Key tips for overcoming the healthcare cybersecurity skills gap
Cybersecurity must be instilled at all levels within healthcare organizations, starting at the C-suite and moving down to every staff member. Entities cannot afford to assume that a data breach will never happen to them, as organizations of all sizes could be the victim of a cyberattack or other type of security incident.
ISACA Chief Innovation Office Frank Schettini further stressed this point in a previous interview with HealthITSecurity.com.
“That really runs the gamut of everything from awareness to the appropriate policies and processes so that you can understand what the escalation path is,” Schettini said. “Organizations want to understand who needs to know what in communications across the board, as well as the having the right level of incident or response capabilities.”
CISOs need to be able to communicate with the rest of the C-suite, Schettini added.
“Instead of talking about the specific technologies, they really need to be looking at everything from a risk management perspective on what that means to the enterprise, because that's the language that the board and the C-suite really understand,” he said.
It’s important to be specific in how each investment will be utilized to mitigate risk, and training is a critical aspect to that process, Schettini explained.
Not only should healthcare organizations have a designated privacy or security officer, with a CISO being ideal, there should be regular cybersecurity and compliance training for all employees. This could be bi-annual training and/or monthly security updates.
There cannot be a “one size fits all” approach either, as individuals will have different cybersecurity backgrounds and will be performing different tasks for the organization.
Varied training tools can also be beneficial, such as computer-based training, classroom training, monthly newsletters, posters, email alerts, or team discussions.
Healthcare cybersecurity threats will continue to evolve, which is why entities must also alter their data security approach to adequately face those threats. Data breaches cannot always be prevented, but measures can be taken to ensure strong detection and response methods.