Survey: Healthcare Organizations Lack IT Budget and Expertise for Cybersecurity Measures | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Healthcare Organizations Lack IT Budget and Expertise for Cybersecurity Measures

October 20, 2015
by Heather Landi
| Reprints

Most healthcare professionals believe criminals are increasingly targeting healthcare organizations, however, many report that their organizations do not have enough staff and security expertise dedicated to information security, according to a Trustwave survey.

For the 2015 Security Health Check Report, Trustwave surveyed 398 healthcare professionals, including 198 technical respondents (predominantly chief information officers, chief information security officers, IT managers, IT directors and IT vice presidents) and 200 non-technical respondents (physicians, nurses, senior executives, board members, finance professionals and office managers). The survey measures the challenges facing healthcare organizations and the security awareness and expectations of their employees.

Medical records are rapidly moving online and being widely shared among patient and health provider sources, web-connected “Internet of Things” devices and cloud services are expanding the attack surface, and the value of stolen health care data – which enables medical identity theft and insurance fraud – has soared in the criminal underground (reportedly fetching 10 to 20 times as much as financial data, such as credit card numbers), according to the Trustwave report.

The survey found that technical respondents were generally more concerned about security breaches, as 74 percent of technical respondents reported they are concerned about their organization getting breached, compared to 51 percent of non-technical respondents.

However, both segments of healthcare professionals reported they are most concerned about losing patient data in the event of a breach, above other types of information.

Among the technical professionals who took the survey, 35 percent reported that their company does not have enough staff and security expertise dedicated to security and half of respondents said 10 percent or less of their overall IT budget goes toward cybersecurity.

And, close to half (47 percent) of technical respondents reported that their business performs vulnerability testing just once a year or even less frequently, with 5 percent reporting they never do vulnerability testing. Eighty percent report that their organizations conduct a risk assessment once a year.

To address some of these issues, 35 percent of respondents reported hiring more staff with security expertise to manage their organization’s security, and 75 percent said their annual security budget has increased.

“To prevent the theft and use of this valuable data, health care organizations are backing two security measures, according to technical respondents. They are data segmentation (a privacy control that enables patients and providers to control who sees and uses certain sensitive data) and encryption (a well-known cloaking technology that renders data unreadable),” the report authors stated.

Of technical respondents, 94 percent said their organization encrypted information sent outside its network and 89 percent said their organization keeps its most sensitive data segmented from its non-sensitive data via a separate database.

As insider threats also pose a security risk for healthcare organizations, 96 percent of technical respondents said their organization limits access to sensitive information to only those who need it.

The report also highlights the need for buy-in from senior level executive leadership and board members with regard to information security issues and initiatives. Fifty-four percent of technical respondents said they meet with CEO/C-level executives/board members once a year about security challenges, while 35 percent report meeting with senior leadership twice a year or even more frequently.

An organization’s security and risk framework is only as good as how it is perceived and implemented throughout the business. The report authors highlight the need to overcome non-technical employee apathy and misinformation around information security through awareness training programs.

Half of non-technical respondents report that their organization’s security awareness education training only occurs once a year and the report authors emphasize that healthcare organizations should have more robust education and training programs.

The report authors also offer a number of recommendations for breach prevention, detection and response, such as understanding the risk through testing and risk assessment, prioritizing and taking action through awareness training and investing in advanced security solutions, using compliance frameworks for guidance and assessing the security of business partners.

Get the latest information on Staffing and Professional Development and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Loma Linda University Medical Center Gets HIMSS Stage 7 Designation

Loma Linda University (LLU) Medical Center and other patient care facilities linked to the health system have achieved Stage 7 designation on HIMSS Analytics’ inpatient Electronic Medical Record Adoption Model (EMRAM).

HHS OIG Report Cites Concerns with MACRA Implementation

The U.S. Department of Health and Human Services (HHS) Office of the Inspector General issued a report of its review of the Centers for Medicare & Medicaid Services’ (CMS) management of the Quality Payment Program and cited specific concerns regarding the need for more specialized technical assistance for clinicians and program integrity efforts.

Cerner Files Protest over $62M EHR Contract Awarded to Epic

Cerner Corp. has filed a protest against rival EHR vendor Epic Systems following an “unfair bidding process and a possible conflict of interest” for a recent IT implementation contract awarded by the University of Illinois (UI) medical center.

NewYork-Presbyterian, Walgreens Partner on Telemedicine Initiative

NewYork-Presbyterian and Walgreens are collaborating to bring expanded access to NewYork-Presbyterian’s healthcare through new telemedicine services, the two organizations announced this week.

ONC Releases Patient Demographic Data Quality Framework

The Office of the National Coordinator for Health IT (ONC) developed a framework to help health systems, large practices, health information exchanges and payers to improve their patient demographic data quality.

AMIA, Pew Urge Congress to Ensure ONC has Funding to Implement Cures Provisions

The Pew Charitable Trusts and the American Medical Informatics Association (AMIA) have sent a letter to congressional appropriators urging them to ensure that ONC has adequate funding to implement certain 21st Century Cures Act provisions.