Risk Management is Maturing, But Cybersecurity Gaps Still Loom, Report Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Risk Management is Maturing, But Cybersecurity Gaps Still Loom, Report Finds

March 2, 2018
by Heather Landi
| Reprints

A new cybersecurity survey released this week finds that healthcare’s approach to cybersecurity is maturing, with more providers adopting cybersecurity frameworks, yet the average level of IT security spend has remained flat over the last three years.

Healthcare organizations are showing improvements in risk management, however, there are still gaps with addressing increasing security threats and evolving concerns around the risks of medical devices and cloud adoption, the study from Mountain View, Calif.-based Symantec and HIMSS Analytics found. The two organizations released this week their third annual IT Security and Risk Management study which examines where healthcare organizations stand with their investments and efforts to strengthen their security postures. 

One promising finding from the survey is that healthcare organizations are beginning to implement practices that demonstrated a more mature understanding of cybersecurity as an enterprise-wide concern. Cybersecurity is no longer considered solely an IT responsibility or a compliance issue. Many organizations, specifically eight out of 10, have a cybersecurity brief at board meetings, although half of these respondents claim it is still on an ad-hoc basis, the study found.

Sixty percent of healthcare providers are now identifying risk assessment, rather than HIPAA compliance, as the number one driver for security investments. And, 59 percent of respondents identified “performance against risk frameworks” as a top security KPI (key performance indicator).

More providers have adopted cybersecurity frameworks, with 40 percent using more than one framework. The top three most commonly adopted frameworks are the NIST cybersecurity framework (NIST CSF), which is used by 63 percent of respondents, the HITRUST framework (37 percent of respondents) and the ITIL framework (31 percent of respondents).

Despite this progress, the Symantec and HIMSS Analytics survey also found that providers still struggle with getting enough resources to combat the continually evolving threat landscape. In 2017 alone, the Office of Civil Rights, in the U.S. Department of Health and Human Services, reported 295 healthcare providers suffered a breach of 500+ patient records. These reported breaches affected a total of 4.77 million individuals.

Taking a look at the barriers to improving security programs, about three-fourths (73 percent) cited budgets as the most significant barrier, with staffing and skillsets coming in second and third. More than one of three (36 percent) also identified a lack of appropriate tools as a barrier.

The survey found a continued lack of investment in cybersecurity by healthcare providers. Specifically, 74 percent of providers devote 6 percent or less of their total IT budget to IT security. Nearly half of respondents (45 percent) reported allocating 3 percent or less of their total IT budget to security. Another 29 percent reported spending between 4 and 6 percent of their total IT budget on security. In fact, the average level of IT security spend has remained flat over the last three years. By comparison, the finance industry typically tends to spend 10 to 12 percent of its IT budget on security.

In a blog post about the survey, Axel Wirth, Symantec technical architect, wrote, “Healthcare faces a growing assortment of threats from increasingly sophisticated malicious actors—whether we’re talking about nation states, hacktivists, or financially motivated cyber criminals. Attackers now have the capability, and have demonstrated the ability, to steal confidential data, ransom or blackmail hospitals, and disrupt or even shut down services. But as we learned from HIMSS Analytics and Symantec’s just-released IT Security and Risk Management study of the healthcare industry, although we are seeing some signs of improvement, the industry still has a way to go.”

And these trends are occurring while the dynamic and evolving nature of health IT increase the complexity of securing protected health information. The survey found that 71 percent of healthcare provider respondents have widespread security concerns related to moving information/applications to the cloud, even though three out of four providers are already using the cloud. Almost all (95 percent) respondents have multiple concerns regarding medical device security in their environments.

The survey report recommends a number of steps healthcare organizations can take to help advance their risk management program across their organization:

  • Create cybersecurity awareness and increase training across the organization and as appropriate for the respective roles
  • Continue to engage the Board on the implications and risks of underinvesting in cybersecurity resources and tools
  • Implement an integrated cyber defense platform rather than deploying a collection of point products and solutions
  • Ensure all necessary stakeholders (IT, Legal, PR and Communications, Clinical Staff­, Executives, etc.) are involved in Incident Response planning

Wirth says every aspect of a provider’s approach to cybersecurity—from keeping the board informed to adopting a framework, to budgeting for and managing risk—must be conducted from a business risk perspective.

“All of an organization’s security tools need to work together in order to optimize detection across the organization and to minimize the impact of security incidents,” Wirth said in the report. “All the evidence points to the same conclusion. Security in this day and age is not a point problem anymore; it’s an enterprise problem with the potential to affect the bottom line, care delivery and, most critically, patient safety.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



MGMA: Physician Compensation Data Illustrates Nationwide PCP Shortage

Primary care physicians’ compensation rose by more than 10 percent over the past five years, representing an increase which is nearly double that of specialty physicians’ compensation over the same period, according to the Medical Group Management Association (MGMA).

Circulation, Buoy Health Collaborate on Integrated Platform for Patient Transportation

Boston-based startup Circulation Health, a ride-ordering exchange that coordinates medical transportation logistics using Lyft and other transportation partners, is partnering with Buoy Health, also based in Boston, to integrate their platforms to provide patients with an end-to-end healthcare experience.

HITRUST Provides NIST Cybersecurity Framework Certification

The Health Information Trust Alliance (HITRUST), security and privacy standards development and accreditation organization, announced this week a certification program for the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (Framework).

Report: Interoperability in NHS England Faces Similar Barriers as U.S. Healthcare

Electronic patient record interoperability in NHS England is benefiting patient care, but interoperability efforts are facing barriers, including limited data sharing and cumbersome processes falling outside of the clinician workflow, according to a KLAS Research report.

Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.