Survey: Healthcare Organizations Lack IT Budget and Expertise for Cybersecurity Measures | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Healthcare Organizations Lack IT Budget and Expertise for Cybersecurity Measures

October 20, 2015
by Heather Landi
| Reprints

Most healthcare professionals believe criminals are increasingly targeting healthcare organizations, however, many report that their organizations do not have enough staff and security expertise dedicated to information security, according to a Trustwave survey.

For the 2015 Security Health Check Report, Trustwave surveyed 398 healthcare professionals, including 198 technical respondents (predominantly chief information officers, chief information security officers, IT managers, IT directors and IT vice presidents) and 200 non-technical respondents (physicians, nurses, senior executives, board members, finance professionals and office managers). The survey measures the challenges facing healthcare organizations and the security awareness and expectations of their employees.

Medical records are rapidly moving online and being widely shared among patient and health provider sources, web-connected “Internet of Things” devices and cloud services are expanding the attack surface, and the value of stolen health care data – which enables medical identity theft and insurance fraud – has soared in the criminal underground (reportedly fetching 10 to 20 times as much as financial data, such as credit card numbers), according to the Trustwave report.

The survey found that technical respondents were generally more concerned about security breaches, as 74 percent of technical respondents reported they are concerned about their organization getting breached, compared to 51 percent of non-technical respondents.

However, both segments of healthcare professionals reported they are most concerned about losing patient data in the event of a breach, above other types of information.

Among the technical professionals who took the survey, 35 percent reported that their company does not have enough staff and security expertise dedicated to security and half of respondents said 10 percent or less of their overall IT budget goes toward cybersecurity.

And, close to half (47 percent) of technical respondents reported that their business performs vulnerability testing just once a year or even less frequently, with 5 percent reporting they never do vulnerability testing. Eighty percent report that their organizations conduct a risk assessment once a year.

To address some of these issues, 35 percent of respondents reported hiring more staff with security expertise to manage their organization’s security, and 75 percent said their annual security budget has increased.

“To prevent the theft and use of this valuable data, health care organizations are backing two security measures, according to technical respondents. They are data segmentation (a privacy control that enables patients and providers to control who sees and uses certain sensitive data) and encryption (a well-known cloaking technology that renders data unreadable),” the report authors stated.

Of technical respondents, 94 percent said their organization encrypted information sent outside its network and 89 percent said their organization keeps its most sensitive data segmented from its non-sensitive data via a separate database.

As insider threats also pose a security risk for healthcare organizations, 96 percent of technical respondents said their organization limits access to sensitive information to only those who need it.

The report also highlights the need for buy-in from senior level executive leadership and board members with regard to information security issues and initiatives. Fifty-four percent of technical respondents said they meet with CEO/C-level executives/board members once a year about security challenges, while 35 percent report meeting with senior leadership twice a year or even more frequently.

An organization’s security and risk framework is only as good as how it is perceived and implemented throughout the business. The report authors highlight the need to overcome non-technical employee apathy and misinformation around information security through awareness training programs.

Half of non-technical respondents report that their organization’s security awareness education training only occurs once a year and the report authors emphasize that healthcare organizations should have more robust education and training programs.

The report authors also offer a number of recommendations for breach prevention, detection and response, such as understanding the risk through testing and risk assessment, prioritizing and taking action through awareness training and investing in advanced security solutions, using compliance frameworks for guidance and assessing the security of business partners.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.