A new survey of more than 2,400 cybersecurity professionals from 705 provider organizations reveals that 73 percent of health system, hospital and physician organizations report that their security infrastructures are unprepared to respond to the new threat environment. The survey, from Black Book Market Research, estimates that 1,500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a three hundred percent increase over this year.
The research set out to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyber-attacks. Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
Researchers noted that the healthcare industry is estimated to spend $134 billion on cybersecurity from 2021 to 2026, and $18 billion in 2021 alone, representing an increase of 20 percent each year to nearly $37 billion in 2026. But, according to the survey’s findings, 82 percent of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Other key findings from Black Book’s cybersecurity report include:
A talent shortage for cybersecurity professionals continues and exceeds the demand by health systems: Additionally, Black Book surveyed 291 healthcare industry human resources executives to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70 percent longer to fill than other IT jobs. Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries. What’s more, 75 percent of the 66-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason: more than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy-making authority.
COVID-19 has greatly increased the risk of data breaches from remote work and cloud-based business operations: Black Book surveying found 90 percent of health systems and hospital employees who shifted to a work-at-home assignment due to the pandemic did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems. Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log-in access. Stolen and compromised credentials were ongoing issues for 53 percent of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.
Cybersecurity consulting and advisory services are in high demand: Sixty-nine percent of 219 C-suite respondents state their health system's budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.
Cybersecurity in healthcare provider organizations remains underfunded: The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21 percent year-over-year since 2017. Extended estimates have estimated nearly $140 billion will be spent by health systems and health insurers by 2026. However, 82 percent of hospital CIOs in inpatient facilities under 150 staffed beds and 90 percent of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.
The majority of healthcare consumers are willing to change providers if they feel their medical records are not secure: 80 percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020. Only 14 percent of hospitals and 6 percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. And, 26 percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year. As such, a poll of 3,500 healthcare consumers that used medical or hospital services in the last 18 months revealed 93 percent would leave their provider if their patient privacy was comprised in an attack that could have been prevented.
