Small Healthcare Orgs Point to Cybersecurity As Barrier to Cloud Adoption

August 30, 2022 - Healthcare organizations are right to prioritize cybersecurity considering today’s threats, but increasing complexity in cybersecurity may be making it harder to advance cloud adoption and digital transformation, ClearDATA found.

ClearDATA surveyed 200 security, IT, and compliance leaders from a variety of healthcare organizations regarding cloud maturity, infrastructure, cybersecurity priorities, and preparedness. About 63 percent of small and midsize healthcare organizations in particular named cybersecurity as a top barrier to cloud adoption, along with 50 percent of larger providers.

It is important to note that the report was not making a case for deprioritizing cybersecurity. Respondents had numerous valid reasons for prioritizing cybersecurity, including regulatory requirements, the reputational and financial costs of a data breach, and wanting to avoid potential patient care disruptions.

Rather, researchers suggested that the results “underscore the complexity of navigating cloud migration, particularly, the accumulating cybersecurity implications that come with each new digital technology a provider adds — all of which smaller providers may be less equipped to manage on their own.”

In addition, the survey found that the larger the organization, the more likely respondents were to report advanced cloud maturity. More than 40 percent of organizations with more than $1 billion in revenue described their cloud maturity level as advanced, compared to just 20 percent of organizations with annual revenues between $101 million and $200 million.

More than 40 percent of large healthcare organizations also reported outsourcing 100 percent of their security and compliance functions, compared to 22 percent of smaller providers. The ongoing cybersecurity workforce shortage may play a role in how and when organizations choose to outsource their security functions.

Whether large or small, respondents across the board reported proactively increasing their cybersecurity budgets in the last year. More than 70 percent of respondents said that their organization’s security budget grew in the past year.

Overconfidence in Cybersecurity, Cloud Infrastructure Is At Odds With Reality 

“While healthcare has long been behind the curve when it comes to their technology and cybersecurity infrastructure (think: legacy systems), they are now making rapid progress in modernizing and catching up to other industries,” the report acknowledged.

However, the majority of surveyed healthcare professionals reported feeling highly confident about how well their cloud infrastructure is secured. More than 85 percent of survey respondents said that they felt confident in their cybersecurity, cloud security, and compliance programs.

“But does this degree of confidence reflect the reality of cybersecurity preparedness?,” the report asked. “Maybe not.”

Data breaches, ransomware, and phishing are still everyday occurrences within the healthcare sector, the report noted. Additionally, the responses showed a significant disconnect between C-level leaders and other areas of the business.

More than 60 percent of C-level respondents described their organization’s cloud maturity as advanced, compared to 20 to 28 percent of VPs, directors, and managers. This disconnect could be a symptom of poor communication between the C-suite and cybersecurity leaders, or just the fact that C-suite executives may not be exposed to the realities of cyber threats.

In addition, most respondents were confident in reporting that their organizations were “totally prepared” for supply chain attacks, ransomware, and phishing. However, just 63 percent of respondents said that their organizations had implemented basic risk reduction activities such as backing up data and using multi-factor authentication.

Only 60 percent of respondents said that they handled passwords securely, and only 26 percent of surveyed individuals said that they used a people-centric security approach. More than 55 percent of respondents said that they frequently execute mock breach exercises or readiness tests, but the remainder reported only conducting these exercises once per year or less.

“For many providers, there is still a significant opportunity to strengthen their cybersecurity posture — from the basics of multi-factor authentication and security training for employees, to implementing more advanced tactics like streamlining and modernizing their technology infrastructure,” the report stated.

The report told a story of mismatched experiences across healthcare — large and small organizations reported varying levels of cloud maturity, and C-suite and manager-level leaders appeared to be experiencing a disconnect surrounding cybersecurity perceptions.

“While healthcare providers across the board are making important strides toward cloud maturity and security, they must also understand and address the gaps in their technology infrastructure and cybersecurity practices to ensure their success in a rapidly changing industry,” the report concluded.