Study Reveals Why Healthcare Organizations Fail to Meet Their Cybersecurity Goals
Black Book Research conducted a survey in Q4 2017 that revealed that the healthcare industry is not taking seriously the threat of cyberattacks. The survey had 323 participants who are decision makers at U.S. healthcare firms. Only 11% of the firms had plans to appoint a cybersecurity officer in 2018. Currently, about 84% of the firms had no dedicated leader for cybersecurity.
Those that take cybersecurity more seriously are the payer organizations. 31% have appointed cybersecurity managers and 44% have plans to appoint one in 2018. Overall, only 15% of the surveyed organizations have chief information security offices that take care of cybersecurity.
According to the survey, the healthcare industry is not adopting cybersecurity best practices. Risk assessments should be regular in every organization according to HIPAA. However, risk assessment is not regular in 54% of the survey respondents and 39% do not conduct firewall penetration tests at all. Even if their IT funds increased, cybersecurity remains a low priority. 89% of respondents said that IT funds were spent on provable business cases. Only a few of the organizations really use the budgets for cybersecurity.
For organizations to meet their cybersecurity goals, C-Suite should be involved. However, 92% of the respondents said that data breaches and cybersecurity were not talked about in board meetings. Without the board leading to implement this top-down strategic initiative, it becomes highly unlikely to achieve cybersecurity goals.
In 2015, there were 270 healthcare data breaches reported. In 2016, breaches increased to 327. In 2017, there were about 331 breaches. The number of data breaches has increased from year to year and will likely continue to do so in 2018. Unless healthcare organizations take the necessary steps to meet their cybersecurity goals, the number of data breaches this year will be another record breaker.