A recently-published Black Book Research report shows that approximately 90% of healthcare groups have encountered a data violation since Q3 2016, yet IT security investment at 88% of hospitals remains at 2016 figures.
This information is the result of a survey of over 2,400 security professionals from 680 provider groups. The focus of the study was to find the reasons why the healthcare sector is particularly vulnerable to cyberattacks.
Black Book Research explains in the report that since 2015 there have been more than 180 million healthcare records stolen, with approximately one in 12 healthcare consumers affected by a data breach at a provider organization. Nine out of ten healthcare providers have experienced a breach, but almost 50% of providers have experienced more than 5 data breaches since Q3, 2016.
There has been a noticeable increase in healthcare data breaches since 2015, with cybercriminals and nation state-backed hackers more and more targeting the healthcare sector. Even though cyberattacks are increasing, healthcare IT security budgets are not increasing. It is proving increasingly difficult to find the required money to make significant enhancements to cybersecurity defenses since cybersecurity does not generate revenue. Part of the issue is a lack of funds to replace vulnerable legacy systems and devices. Theare funds are simply not available to begin such an undertaking.
96% of IT professionals are of the opinion that threat actors now have the upper hand and medical enterprises are not spotting and addressing weaknesses quickly enough. Every year security posture should improve as cybersecurity programs age, but that does not appear to be the case in the healthcare sector. Only 12% of respondents think that their security posture will improve in 2019, and 23% of supplier organizations believe their security posture will be worse in 2019.
Money is being invested in cybersecurity solutions, although all too often solutions are purchased without enough knowledge on the product base, with IT departments lacking vision or discernment. The study showed 92% of data security product and service decisions have been taken at the C-suite level, with department managers having no input into investment decisions.
89% of surveyed CIOs said they purchased cybersecurity solutions to meet compliance requirements rather than to reduce risk. When cybersecurity solutions are purchased, it is rare for the effectiveness of those solutions to be reviewed. Only 4% of groups surveyed had a steering committee that evaluated the effect of investments in cybersecurity.
Healthcare suppliers appear to have realized the benefits of hiring a chief information security officer (CISO) yet recruiting a suitably qualified worker to fill the position is not proving easy. Due to the inability to recruit staff, 21% of healthcare providers have opted for MSPs to supply security-as-a-service or have outsourced security to partners and consultants.
Contracting the services of a cybersecurity vendor before an attack allows hospitals to settle the best deal; however, many hospitals have been put at a severe disadvantage by seeking help from third parties after a cybersecurity incident. 58% of hospitals only chose to outsource security after a cybersecurity breach.
While scanning for weaknesses allows healthcare organizations to identify and address flaws to avoid data breaches, 32% of healthcare groups did not carry out a scan prior to suffering a cyberattack.
A swift response to a cyberattack can greatly restrict the harm caused, although detecting cyberattacks and data breaches are still a major challenge. 29% of healthcare groups lack a security solution that permits them to instantly detect and react to a cyberattack.
While most hospitals have formulated an incident response strategy, 83% of surveyed healthcare organizations have not conducted a cybersecurity incident drill to test the effectiveness of their incident response plan. Without conducting such testing, it is not possible to tell how effective the plan will be in the event of a major incident occurring.
Not having adequate security objectives in strategic and tactical plans, insufficient financing, poorly chosen cybersecurity solutions and a reactive rather than proactive cybersecurity plan makes the healthcare industry particularly susceptible to attack. Until amendments are implemented to address all of those areas, the healthcare sect0r will remain particularly vulnerable to attack and cyberattacks are likely to continue to rise.