Study: Cybersecurity Budgets, Staff Growing, but Many Organizations Still Lagging | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Study: Cybersecurity Budgets, Staff Growing, but Many Organizations Still Lagging

February 27, 2017
by Heather Landi
| Reprints
Click To View Gallery

Cybersecurity budgets are growing and healthcare organizations are allocating more employees to IT security compared to a year ago, however, despite the progress, significant gaps remain. For instance, 65 percent of healthcare organizations are still spending less than 6 percent on security, according to a study from HIMSS Analytics and Symantec released last week during the HIMSS17 conference.

The HIMSS Analytics and Symantec “IT Security and Risk Management Study” examined where healthcare organizations stand in terms of investments and efforts to strengthen their security strategies. For the study, HIMSS Analytics and Symantec surveyed 100 healthcare executive, C-suite, business and IT leaders and clinical leaders and also conducted a qualitative study with in-depth interviews.

The study findings revealed progress healthcare organizations made in the last year, such as the number of employees allocated to IT security is starting to rise and more organizations are adopting a cybersecurity framework. Additionally, two-thirds of participating organizations have a chief information security officer (CISO), which most often report to the CIO.

Cybersecurity budgets have grown as well with the percentage of respondents who spend 7 to 10 percent of their IT budget on cybersecurity jumping from 10 percent to 24 percent from 2015 to 2016. However, 65 percent of organizations dedicate 6 percent or less of their IT budget to IT security.

The survey findings indicate that the majority of healthcare organizations still have five or fewer employees allocated to IT security, but many organizations are working to increase that. In 2016, 11 percent of organizations reported having 11 to 20 employees allocated to IT security compared to 8 percent in 2015, while 13 percent of respondents in 2016 said they have 6 to 10 IT security employees, compared to only 10 percent in 2015.

Established risk framework adoptions are on the rise, the survey found, with most healthcare organizations utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (46 percent). Organizations also are using HITRUST (30 percent) and ITIL (27 percent) and 12 percent have developed their own framework, although that figure is down from 23 percent in 2015.

Looking at IT security drivers, respondents ranked HIPAA compliance (75 percent ranked it in the top 3), risk assessments (74 percent ranked it in top 3) and security/financial audits (63 percent) are the main drivers for their IT security investments. Twenty-five percent of respondents ranked “external incident” as one of the top 3 drivers for IT security investments, specifically, only 8 percent ranked as it the No. 1 driver.

Overall, organizations reported high confidence in their preparedness for cyber-attacks, with 36 percent of respondents ranking their organization as “5” on a scale of 1 to 7; 27 percent ranking their organizations as a “4” and 19 percent of respondent ranking their organization as a “6.”

The study also identified were gaps still remain and where many healthcare organizations are still lagging with regard to IT security. More than one-third of organizations are still only complying with key mandates or only implemented basic security controls, and more than half have been subjected to external cyber-attacks in the last 12 months.

Additionally, one one-third of respondents have standing security presentations at every board meeting. End-user education and training of lower importance to organizations, and only 25 percent of respondents believe they have adequate resources to protect against cyber-attacks.

Further, a significant number of respondents are in the early stages of addressing IT security for both medical and mobile devices, and some are still not addressing it at all.

The study findings indicate there may be a leadership disconnect as more clinical and business respondents reported higher confidence in their organization’s preparedness for cyber-attacks compared to IT and security leader respondents. Additionally, of those surveyed, business respondents were more likely to view cybersecurity as a business risk issue, whereas clinical and IT respondents view it as a HIPAA compliance issue. This disconnect impacts approaches to cybersecurity strategies.

Disparities across clinical, business, security and IT stakeholders may be hindering the ability of organizations to advance their cyber posture, according to the study. To achieve a higher level of cybersecurity confidence, business and IT leaders see a need for more investment in budgeting and staffing resources, while clinical leaders say more employee awareness and training is needed.

Despite recent increases to IT security spending and staffing, the majority of respondents identified budgets and staffing as the biggest barriers to higher levels of confidence in security programs. Of the respondents, 69 percent ranked budget as a top barrier, followed by staffing (59 percent), employee awareness and training (37 percent), skillset (30 percent) and tools (29 percent).

With healthcare organizations facing ongoing cyber threats and with the growing requirement for patient data exchange, as well as with a focus on privacy and security regulations, improving the industry’s cybersecurity posture is critical, according to the study authors. The study included a number of recommendations for healthcare organizations to improve cyber preparedness:

  • Build a comprehensive risk management program leveraging frameworks such as the NIST Cybersecurity Framework
  • Go beyond key mandates and basic security controls to protect infrastructures from targeted attacks and advanced threats, including ransomware
  • Continue to invest in IT security resources like budget and staffing, and—if sensible—consider partnering with outside contractors for assistance
  • Increase focus on end-user training, while protecting sensitive data and preventing unauthorized access to networks


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics


Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity


Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity