More than eight in ten provider organizations lack a reliable enterprise leader for cybersecurity, while only 11 percent plan to get a cybersecurity officer in 2018, according to a new report from Black Book.
For the survey, Black Book researchers polled more than 300 strategic decision makers in U.S. healthcare organizations, including both providers and payers. When it comes to payers, 31 percent said they have an established manager for cybersecurity programs currently, with 44 percent planning to recruit a candidate in 2018.
The survey revealed that the healthcare industry continues to underestimate security threats as attackers continue to seek data and monetary gain, researchers attested. "The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," said Doug Brown, managing partner of Black Book.
The survey also advised on the hesitation of healthcare provider organizations in adopting the best practices for cybersecurity. 54 percent of respondents admitted they do not conduct regular risk assessments, while 39 percent don’t carry out regular penetration testing on their firewalls. “These results may not be all that surprising, however, considering some of the new solution providers are offering passive monitoring for their networks and the upfront costs have been dramatically slashed,” said Brown.
What’s more, 92 percent of the C-suite officers surveyed stated that cybersecurity and the threat of data breach are still not major talking points with their board of directors. And 15 percent of all healthcare organizations responding to the survey said they are taking cybersecurity seriously by having a chief information security officer (CISO) in charge now.
“Cybersecurity has to be a top-down strategic initiative as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” said Brown.
Further, 89 percent of respondents reported that in 2018 budgeted IT funds are dedicated toward primarily business functions with provable business cases and only a small fraction is being allocated to cybersecurity.
