Healthcare Cybersecurity Remains "Understaffed and Underfunded"

In a survey of nearly 2,500 healthcare security experts, over 96% agreed with the notion that bad actors are outpacing the defenses of their medical enterprises.

The research, conducted by Black Book Market Research, was conducted between Q3 2017 and Q2 2018. In addition to the worrying sentiment, it found a number of troubling trends about how hospitals are responding. The survey reported that hospital IT spending on cybersecurity had continued to slip—down to about 3% —while overall IT budgets remained stagnant. Less than 5% of respondents said that their health system had a formal steering committee that evaluated the institution’s cybersecurity investments.

>>LISTEN to Data Book Episode 6: Finding Orangeworm

“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” Black Book founder Doug Brown said. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”

At healthcare IT meetings, cybersecurity experts often emphasize that network defense has to be an institution-wide, and that it commands the attention of healthcare C-suites. The latter message may be getting through, though the former might be a work in progress: in Black Book’s new survey, 92% of respondents reported that data security decisions made at the C-level “failed to include any users or affected department managers in the cybersecurity purchasing decision.”

Brown said this trend had a lot to do with how hospitals focus their investments: Medical and financial leaders often have more sway than IT professionals in health systems, leading to a dearth of necessary spending and organizational practice improvement.

Some of the findings echoed other recent market research. About a third of those surveyed said that their organizations did not scan for vulnerabilities prior to suffering an attack—a report published last month by ServiceNow found that 28% of healthcare industry IT workers said their organizations never scanned for vulnerabilities. In that survey, 58% agreed with the notion their artificial intelligence and machine learning capabilities were outpaced by bad actors.

Nearly a third of respondents in the new research also reported that their institution did not have an “adequate solution” for instant detection of and response to cybersecurity events. And future outlooks were grim: Only 12% of hospitals and 9% of physician organizations expressed optimism that a Q2 2019 assessment would find their network safer than it is today—nearly a quarter actually reported believing that their situation would worsen.

Related Coverage:

After Failing to Avert Data Breach Lawsuit, CareFirst Gets Hacked Again

Vulnerabilities Are Surging, and Healthcare Cybersecurity Might Struggle to Keep Up

Threats to Health Data Often Come From Inside, Report Finds