A new report reveals that providers continue to be the most targeted organizations for healthcare cybersecurity breaches, accounting for 80 percent of industry security incidents.
Black Book Market Research surveyed nearly 2,900 security professionals from more than 700 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians ripe for data breaches and cyberattacks.
So far in 2019, the research found, 96 percent of IT professionals agree with sentiments that data attackers are outpacing their medical enterprises, with providers being the most targeted group in healthcare. Over half (53 percent) of all provider breaches were caused by external hacking, according to respondents.
More than 93 percent of healthcare organizations have experienced a data breach since Q3 2016 and 57 percent have had more than five data breaches during the same timeframe. Not only has the number of attacks increased; more than 300 million records have been stolen since 2015, affecting about one in every 10 healthcare consumers, the data showed. The estimated cost of a data breach by the respondent hospital organizations with actual breaches in 2019 averaged $423 per record.
A key challenge, researchers noted, is that budget constraints have encumbered the practice of replacing legacy software and devices, leaving enterprises more susceptible to attacks. "It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue," Doug Brown, founder of Black Book, said in a statement.
Indeed, according to 90 percent of hospital representatives who were surveyed, IT security budgets have remained level since 2016. As a percentage of IT health systems and hospital organizational budgets, cybersecurity has increased to about 6 percent of the total annual IT spend for CY 2020, but physician organizations and groups report a decrease in actual cybersecurity expense allocated, with less than 1 percent of their IT budgets earmarked for cybersecurity in 2020.
And, a third of hospital executives that purchased cybersecurity solutions between 2016 and 2018 report that they “did so blindly without much vision or discernment.” More than nine in 10 (92 percent) of the data security product or service decisions since 2016 were made at the C-level and failed to include any users or affected department managers in the cybersecurity purchasing decision, the research revealed. Just 4 percent of organizations had a steering committee to evaluate the impact of the cybersecurity investment.
"The situation did not improve in 2019 and dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data," said Brown. "Cybersecurity is a newer line item for hospitals and physician enterprises, and budgets have not evolved to cover the true scope of human capital and technology requirements yet, including AI."
Enough effort being made?
Last year's Black Book cybersecurity survey revealed that 84 percent of hospitals were operating without a dedicated security executive. As a solution to unsuccessfully recruiting a qualified healthcare chief information security officer (CISO), 21 percent of organizations opted for security outsourcing to partners and consultants or selected security-as-a-service options as a stop-gap measure.
In 2019, 21 percent of hospitals surveyed report having a dedicated security executive, although only 6 percent identified that individual as a CISO. Only 1.5 percent of physician groups with over 10 clinicians in the practice report having a dedicated CISO.
To this end, in a separate Q3 2019 survey of 58 health system marketing leaders with organizational breaches in the past 18 months report expending between $51,000 and $100,000 dollars of unbudgeted marketing expense to fight any negative impressions on the hospital brand cast from data breaches and theft. Still, no marketing executive surveyed reported allocating 2020 budget funds to combat the consequences of patient privacy or record breaches.
As such, the shortage of healthcare cybersecurity professionals is forcing a rush to acquire services and outsourcing at a pace six times more than cybersecurity products and software solutions—an increase of 40 percent from last year.
But still, nearly nine in 10 respondents (87 percent) report that their healthcare organizations have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the industry.
Healthcare organizations are instead hyper-focused on patient care and reimbursement, and “Cybersecurity risks are not at the forefront of executives' minds," said Brown. "Medical and financial leaders also wield more influence over organizational budgets making it difficult for IT management to implement needed cybersecurity practices despite the existing environment."
