Cybersecurity budgets are growing and healthcare organizations are allocating more employees to IT security compared to a year ago, however, despite the progress, significant gaps remain. For instance, 65 percent of healthcare organizations are still spending less than 6 percent on security, according to a study from HIMSS Analytics and Symantec released last week during the HIMSS17 conference.
The HIMSS Analytics and Symantec “IT Security and Risk Management Study” examined where healthcare organizations stand in terms of investments and efforts to strengthen their security strategies. For the study, HIMSS Analytics and Symantec surveyed 100 healthcare executive, C-suite, business and IT leaders and clinical leaders and also conducted a qualitative study with in-depth interviews.
The study findings revealed progress healthcare organizations made in the last year, such as the number of employees allocated to IT security is starting to rise and more organizations are adopting a cybersecurity framework. Additionally, two-thirds of participating organizations have a chief information security officer (CISO), which most often report to the CIO.
Cybersecurity budgets have grown as well with the percentage of respondents who spend 7 to 10 percent of their IT budget on cybersecurity jumping from 10 percent to 24 percent from 2015 to 2016. However, 65 percent of organizations dedicate 6 percent or less of their IT budget to IT security.
The survey findings indicate that the majority of healthcare organizations still have five or fewer employees allocated to IT security, but many organizations are working to increase that. In 2016, 11 percent of organizations reported having 11 to 20 employees allocated to IT security compared to 8 percent in 2015, while 13 percent of respondents in 2016 said they have 6 to 10 IT security employees, compared to only 10 percent in 2015.
Established risk framework adoptions are on the rise, the survey found, with most healthcare organizations utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (46 percent). Organizations also are using HITRUST (30 percent) and ITIL (27 percent) and 12 percent have developed their own framework, although that figure is down from 23 percent in 2015.
Looking at IT security drivers, respondents ranked HIPAA compliance (75 percent ranked it in the top 3), risk assessments (74 percent ranked it in top 3) and security/financial audits (63 percent) are the main drivers for their IT security investments. Twenty-five percent of respondents ranked “external incident” as one of the top 3 drivers for IT security investments, specifically, only 8 percent ranked as it the No. 1 driver.
Overall, organizations reported high confidence in their preparedness for cyber-attacks, with 36 percent of respondents ranking their organization as “5” on a scale of 1 to 7; 27 percent ranking their organizations as a “4” and 19 percent of respondent ranking their organization as a “6.”
The study also identified were gaps still remain and where many healthcare organizations are still lagging with regard to IT security. More than one-third of organizations are still only complying with key mandates or only implemented basic security controls, and more than half have been subjected to external cyber-attacks in the last 12 months.
Additionally, one one-third of respondents have standing security presentations at every board meeting. End-user education and training of lower importance to organizations, and only 25 percent of respondents believe they have adequate resources to protect against cyber-attacks.
Further, a significant number of respondents are in the early stages of addressing IT security for both medical and mobile devices, and some are still not addressing it at all.
The study findings indicate there may be a leadership disconnect as more clinical and business respondents reported higher confidence in their organization’s preparedness for cyber-attacks compared to IT and security leader respondents. Additionally, of those surveyed, business respondents were more likely to view cybersecurity as a business risk issue, whereas clinical and IT respondents view it as a HIPAA compliance issue. This disconnect impacts approaches to cybersecurity strategies.
Disparities across clinical, business, security and IT stakeholders may be hindering the ability of organizations to advance their cyber posture, according to the study. To achieve a higher level of cybersecurity confidence, business and IT leaders see a need for more investment in budgeting and staffing resources, while clinical leaders say more employee awareness and training is needed.
Despite recent increases to IT security spending and staffing, the majority of respondents identified budgets and staffing as the biggest barriers to higher levels of confidence in security programs. Of the respondents, 69 percent ranked budget as a top barrier, followed by staffing (59 percent), employee awareness and training (37 percent), skillset (30 percent) and tools (29 percent).
With healthcare organizations facing ongoing cyber threats and with the growing requirement for patient data exchange, as well as with a focus on privacy and security regulations, improving the industry’s cybersecurity posture is critical, according to the study authors. The study included a number of recommendations for healthcare organizations to improve cyber preparedness:
- Build a comprehensive risk management program leveraging frameworks such as the NIST Cybersecurity Framework
- Go beyond key mandates and basic security controls to protect infrastructures from targeted attacks and advanced threats, including ransomware
- Continue to invest in IT security resources like budget and staffing, and—if sensible—consider partnering with outside contractors for assistance
- Increase focus on end-user training, while protecting sensitive data and preventing unauthorized access to networks