Global Survey: 95 Percent of Healthcare Orgs Don’t Use Security Governance or Risk Management Software | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Global Survey: 95 Percent of Healthcare Orgs Don’t Use Security Governance or Risk Management Software

July 11, 2017
by Heather Landi
| Reprints
Click To View Gallery

Despite the cyber threats facing healthcare organizations, 95 percent of IT specialists working at medical organizations around the world report that their organizations do not use any software for information security governance or risk management, according to the results of a 2017 IT Risks Survey.

Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, released the results of its Netwrix 2017 IT Risks report, which provides a look into IT security practices, pains, successful experiences and plans in the healthcare industry. The IT risks are divided into three areas: security, compliance and operations.

In a blog about the survey results, Jeff Melnick with Netwrix commented on the survey finding that most organizations do not use any software for security governance or risk management: “There may be two possible explanations for this: organizations either haven’t faced any threats yet, think of security as a “set and forget” thing, which does not require more investment, or they simply do not have enough financial resources.”

What’s more, the survey found that 79 percent of IT operations are at least partially responsible for security, and 68 percent of healthcare providers do not have a separate cybersecurity function, which means the responsibility for security-related tasks will most likely fall on the IT operations teams.

Only 31 percent of healthcare organizations claim to be well prepared to beat IT risks, and more than half (56 percent) of healthcare organizations plan to invest in security solutions to protect against data breaches, the survey found.

Looking at the obstacles to combat cybersecurity, the majority of healthcare organizations indicated lack of budget (75 percent), time (75 percent) and appropriate participation of senior management (44 percent) as the main obstacles to taking a more efficient approach towards management of cyber risks.

When IT specialists at healthcare organizations were asked who they perceive as the biggest threat to their data and system security, more than half (56 percent) reported that they perceive employees to be the biggest threat, compared to 38 percent who cited hackers from the outside as the more serious threat.

Examining the most typical incidents that have happened to healthcare organizations during 2016, overall 59 percent of healthcare organizations had to deal with malware, which is often spread through social engineering attacks and penetrates organizations’ networks mainly due to employees’ negligence.

The second most common cause of security incidents was human error, which encompasses accidental disclosure of sensitive data, loss of critical information stored on mobile devices and other scenarios. As for the system downtime, the main causes of system outages were malicious activities (41 percent) and accidental or incorrect user activity (29 percent).

The survey also looked how organizations prioritize certain areas of security, and the findings indicate that most healthcare organizations focus most of their attention on endpoint security (61 percent) and security of databases (56 percent). Forty-seven percent of organizations said they focus on virtual infrastructure.

The survey respondents also were asked about which areas are the most neglected as far as IT security. Thirty-eight percent reported that unstructured data stored in third-party data centers was the most neglected area, followed by bring-your-own-device data (29 percent) and shadow IT (21 percent).

Healthcare organizations made comply with a wide range of industry standards to ensure that basic security controls are in place and sufficient. Unfortunately, as the study authors point out, the survey results demonstrate that organizations’ readiness to meet compliance requirements leaves much to be desired, as 36 percent of organizations had compliance issues or experienced problems with passing audits. “Interestingly, for many healthcare organizations, the main problem is not the inability to provide a complete audit trail of user activity (which, according to HIPAA requirements, they always do), but rather the inability to retrieve relevant evidence in time,” Netwrix’ Melnick wrote.

Survey respondents also were asked where visibility into user activity is most needed, and 55 percent cited bring-your-own device programs, followed by on-premise systems (47 percent), cloud systems (43 percent) and mobile devices (40 percent).

Melnick wrote that the survey results “found several inconsistencies in the healthcare organizations’ attitudes towards security.” “On one hand, organizations realize the necessity of data protection and control over their complex IT environments. On the other hand, many of them still fail to implement basic cybersecurity controls and experience difficulties in passing compliance audits. Despite following the requirements of HIPAA and other compliance standards, medical organizations are likely to focus on certain areas of IT environment instead of having visibility across all critical systems, which increases their vulnerability to cyber threats,” he wrote.

He also concluded, “Most organizations perceive visibility as being a critical measure in protecting patient data against cyber threats, and, despite all the difficulties, they are ready to invest in data protection and take more proactive approaches to security.”




Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.