Black Book Research conducted a survey where over 2,400 security professionals from 680 healthcare organizations participated. According to the survey, over 90% of healthcare organizations had incidents of data breach since Q3 2016 and 50% of the organizations have actually had over 5 data breaches. Despite these incidents, 88% of hospitals have kept their budget for IT security the same since 2016. No wonder the healthcare industry is very vulnerable to cyberattacks.
BlackBbook Research mentioned that there are over 180 million healthcare records stolen since 2015. That means one in 12 healthcare consumers are affected by a data breach. Though the data breaches in the healthcare industry had significantly increased, healthcare providers have not increased their IT security budgets. Perhaps it is because they don’t see any income generated from cybersecurity. Lack of funds is also a problem hence replacing vulnerable systems and devices seems close to impossible.
96% of surveyed IT professionals think that threat actors have the advantage now because medical providers are not addressing security vulnerabilities. Even if cybersecurity programs have advanced, very few providers (only 12% of respondents believe) will have better security posture in 2019. 23% of respondents think it will be worse.
Investments are not made in the appropriate cybersecurity solution. The research revealed that 92% of the data security products and services purchased were decided at the C-suite level and there was not enough input from the IT security team. 89% of surveyed respondents say that the cybersecurity solutions purchased were for not meant to reduce cyberthreat risks but to meet compliance requirements.
Healthcare providers now understand why having a chief information security officer (CISO) is important But the problem is finding a qualified person for the position. As an alternative, 21% of healthcare providers outsource their security service requirement or use MSPs to provide security-as-service.
It is a better for hospitals to engage the services of a cybersecurity vendor before an attack. Sad to say, 58% of hospitals only outsource security services after a breach incident. Healthcare organizations should also scan for vulnerabilities to apply a fix to weaknesses and prevent data breaches. But 32% of organizations that suffered a cyberattack did not perform a vulnerability scan.
In order to limit the harm of a cyberattack, the healthcare organization must be able to detect cyberattacks instantly and respond to the incident. Unfortunately, 29% of healthcare organizations cannot do this. Most hospitals do not have an incident response plan. 83% of surveyed healthcare organizations have not tested their incident response plan through drills, so its effectiveness is not guaranteed.
This survey and research report revealed that these factors contribute to the healthcare industry’s vulnerability to cyberattacks: insufficient funding, poor cybersecurity solution choices, reactive versus proactive cybersecurity strategy and lack of security objectives and plan. If these issues are addressed, there will most likely be less cyberattacks and breaches.