Global Survey: 95 Percent of Healthcare Orgs Don’t Use Security Governance or Risk Management Software | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Global Survey: 95 Percent of Healthcare Orgs Don’t Use Security Governance or Risk Management Software

July 11, 2017
by Heather Landi
| Reprints
Click To View Gallery

Despite the cyber threats facing healthcare organizations, 95 percent of IT specialists working at medical organizations around the world report that their organizations do not use any software for information security governance or risk management, according to the results of a 2017 IT Risks Survey.

Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, released the results of its Netwrix 2017 IT Risks report, which provides a look into IT security practices, pains, successful experiences and plans in the healthcare industry. The IT risks are divided into three areas: security, compliance and operations.

In a blog about the survey results, Jeff Melnick with Netwrix commented on the survey finding that most organizations do not use any software for security governance or risk management: “There may be two possible explanations for this: organizations either haven’t faced any threats yet, think of security as a “set and forget” thing, which does not require more investment, or they simply do not have enough financial resources.”

What’s more, the survey found that 79 percent of IT operations are at least partially responsible for security, and 68 percent of healthcare providers do not have a separate cybersecurity function, which means the responsibility for security-related tasks will most likely fall on the IT operations teams.

Only 31 percent of healthcare organizations claim to be well prepared to beat IT risks, and more than half (56 percent) of healthcare organizations plan to invest in security solutions to protect against data breaches, the survey found.

Looking at the obstacles to combat cybersecurity, the majority of healthcare organizations indicated lack of budget (75 percent), time (75 percent) and appropriate participation of senior management (44 percent) as the main obstacles to taking a more efficient approach towards management of cyber risks.

When IT specialists at healthcare organizations were asked who they perceive as the biggest threat to their data and system security, more than half (56 percent) reported that they perceive employees to be the biggest threat, compared to 38 percent who cited hackers from the outside as the more serious threat.

Examining the most typical incidents that have happened to healthcare organizations during 2016, overall 59 percent of healthcare organizations had to deal with malware, which is often spread through social engineering attacks and penetrates organizations’ networks mainly due to employees’ negligence.

The second most common cause of security incidents was human error, which encompasses accidental disclosure of sensitive data, loss of critical information stored on mobile devices and other scenarios. As for the system downtime, the main causes of system outages were malicious activities (41 percent) and accidental or incorrect user activity (29 percent).

The survey also looked how organizations prioritize certain areas of security, and the findings indicate that most healthcare organizations focus most of their attention on endpoint security (61 percent) and security of databases (56 percent). Forty-seven percent of organizations said they focus on virtual infrastructure.

The survey respondents also were asked about which areas are the most neglected as far as IT security. Thirty-eight percent reported that unstructured data stored in third-party data centers was the most neglected area, followed by bring-your-own-device data (29 percent) and shadow IT (21 percent).

Healthcare organizations made comply with a wide range of industry standards to ensure that basic security controls are in place and sufficient. Unfortunately, as the study authors point out, the survey results demonstrate that organizations’ readiness to meet compliance requirements leaves much to be desired, as 36 percent of organizations had compliance issues or experienced problems with passing audits. “Interestingly, for many healthcare organizations, the main problem is not the inability to provide a complete audit trail of user activity (which, according to HIPAA requirements, they always do), but rather the inability to retrieve relevant evidence in time,” Netwrix’ Melnick wrote.

Survey respondents also were asked where visibility into user activity is most needed, and 55 percent cited bring-your-own device programs, followed by on-premise systems (47 percent), cloud systems (43 percent) and mobile devices (40 percent).

Melnick wrote that the survey results “found several inconsistencies in the healthcare organizations’ attitudes towards security.” “On one hand, organizations realize the necessity of data protection and control over their complex IT environments. On the other hand, many of them still fail to implement basic cybersecurity controls and experience difficulties in passing compliance audits. Despite following the requirements of HIPAA and other compliance standards, medical organizations are likely to focus on certain areas of IT environment instead of having visibility across all critical systems, which increases their vulnerability to cyber threats,” he wrote.

He also concluded, “Most organizations perceive visibility as being a critical measure in protecting patient data against cyber threats, and, despite all the difficulties, they are ready to invest in data protection and take more proactive approaches to security.”




Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.