The HIMSS annual survey finds most organizations are planning to spend more to protect their systems. But systems are struggling to recruit and retain cybersecurity staff.
The cyberattack of Change Healthcare, a subsidiary of UnitedHealth Group, has brought even more attention to the risks of attacks on health organizations.
Hospitals, health systems, physicians and pharmacies are all seeing problems from the attack, including billing issues, getting insurance approvals, filling prescriptions. Health organizations are also seeing delays in payments. Medical groups, especially smaller ones, are seeing a cash crunch.
Even before the Change Healthcare attack, health organizations have been starting to budget more for cybersecurity programs, according to the 2023 HIMSS Healthcare Cybersecurity Survey Report, which was released this week. While health systems are spending more, they are still struggling to hire and keep skilled cybersecurity professionals.
HIMSS, the Healthcare Information Management and Systems Society, surveyed 229 healthcare cybersecurity pros. Most (55%) said their cybersecurity budgets increased, while about a quarter (23%) said they stated the same. About 3% said their budgets decreased, while the remainder (18%) said they didn’t know.
Healthcare organizations are spending an average of 7% of their budgets, the report states. Typically, health organizations spent 6% or less of their budgets on protecting their systems.
“Robust cybersecurity measures require substantial investment in cybersecurity resources,” the report states.
The report also offers a sober assessment for those that aren’t investing in cybersecurity, saying, “Healthcare organizations that lack adequate funding for their cybersecurity programs will likely struggle to keep up with evolving threats.”
Most healthcare IT professionals say they expect their cybersecurity budgets will continue to grow in 2024. A solid majority (57%) said they expected greater spending on cybersecurity this year, while 17% said they expected it to remain the same, and 18% said they didn’t know. About 3% of those surveyed said they expected a dip in cybersecurity spending.
A majority of healthcare IT professionals (55%) said their organization experienced a significant security incident over the last year, while about one-third (32%) of respondents said they did not have a serious breach.
Healthcare organizations continue to struggle to attract top cybersecurity professionals, and that’s been a difficult issue for some time.
Roughly 3 of 4 IT professionals (74%) said hiring qualified cybersecurity professionals “was a significant workforce challenge,” according to the report.
Even with health systems spending more on cybersecurity, almost half of the IT pros surveyed (43%) said their organizations “lack sufficient budget to hire qualified healthcare cybersecurity professionals,” the report states. Some of the respondents said they weren’t able to offer competitive salaries, and cybersecurity leaders have said talented cybersecurity professionals can earn more in other sectors.
Nearly half of those surveyed (47%) also indicated that they had trouble finding cybersecurity professionals with sufficient experience, and 38% said candidates lacked experience in the healthcare industry. “This is important because healthcare cybersecurity is directly correlated to patient safety,” the report states.
Healthcare organizations, perhaps not surprisingly, are also having trouble keeping the cybersecurity professionals they have on staff.
More than half (57%) say retaining cybersecurity professionals is a challenge. Some say insufficient compensation is part of the problem, but they cite other challenges.
Some cybersecurity professionals are leaving due to a lack of opportunities to grow in their career, the stress, and “a lack of executive support,” the report states.
“With adequate support from executives, meaningful work, and contributions to the organization that are valued, cybersecurity professionals will thrive,” the report states.