- Healthcare data security programs continue to be underfunded and understaffed, a Black Book Market Research cybersecurity survey of close to 2,500 healthcare security professionals found.
Almost all of the respondents agreed that cyberattackers are outpacing healthcare organizations in funding and technology, leaving providers far behind in the race to protect patient data.
As a percentage of IT budgets, cybersecurity spending has shrunk to around 3 percent of total annual IT spending, the survey found.
“It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” said Black Book Founder Doug Brown.
Not only are cybersecurity budgets being cut, but decisions about cybersecurity spending are being made at the C-level without including users or affected department managers, the survey found. Only 4 percent of organizations had a steering committee to evaluate the impact of the cybersecurity investment.
The lack of funding and poor investment decisions have led to an explosion in the number and scope of healthcare data breaches.
More than 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly half had more than five data breaches during the same period. More than 180 million records have been stolen since 2015, affecting about one in every 12 healthcare consumers.
In an era of proliferating threats and increasing fines and lawsuits, a mind-blowing 84 percent of hospitals said in last year’s Black Book cybersecurity survey that they did not have a dedicated security executive at their organization.
Less than one-fourth of organizations opted for security outsourcing to partners and consultants or pursued security-as-a-service option.
The survey found some disturbing results about how organizations approach selecting security vendors.
Unfortunately, 58 percent of hospitals did not select their current security vendor in advance of a cybersecurity incident, and 32 percent of healthcare organizations did not scan for vulnerabilities before an attack.
Sixty percent of healthcare organizations have not formally identified specific security objectives and requirements in a strategic and tactical plan; 83 percent have not had a cybersecurity drill with an incident response process.
Only 12 percent of hospitals and 9 percent of physician organizations believe that an assessment next year of their cybersecurity posture will show improvement. Twenty-three percent of provider organizations believe their cybersecurity position will worsen, as compared to 3 percent in other industries.
In 2018, 24 percent of providers still do not carry out measurable assessments of their cybersecurity status. Of those that did, 7 percent used a third-party service to benchmark their cybersecurity status, 6 percent used software to benchmark their cybersecurity status, and 78 percent self-assessed using their own criteria.
Close to three-quarters (74 percent) of CIOs did not evaluate the total cost of ownership (TCO) before making a commitment to sign their current cybersecurity solution or service contract. Eighty-nine percent reported they bought their cybersecurity solution to be compliant, not necessarily to reduce risk when the IT decision was made.
Black Book surveyed healthcare organizations and picked the top security vendors in 18 categories of cybersecurity products based on 18 qualitative indicators of client experience and solution/service satisfaction and three indicators of customer loyalty. Some of the results follow:
The top spot for authorization authentication went to FireEye; blockchain technology, Hashed Health; compliance and risk management, Clearwater Compliance; cybersecurity advisors and consultants, Leidos; endpoint security solutions, Carbon Black; healthcare data encryption, Onpage; medical device and IoT security, Fortified Health Security; patient privacy monitoring, Fairwarning; and ransomware attack mitigation, Zix Corporation.
“The key place to start when choosing a cybersecurity vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best suited vendor,” concluded Brown.
Despite the lack of earmarked funds by US healthcare buyers, Black Book projects that global healthcare cybersecurity spending will exceed $65 billion cumulatively over the next five years.