A recent cybersecurity survey shows that overall healthcare approaches to cybersecurity have improved in recent years. Most organizations have embraced their need to protect their data from intrusion.
A study conducted by Mountain View, California-based Symantec and HIMSS Analytics[1] found that healthcare organizations are showing improvements in risk management strategies. Although their efforts have still not been satisfactory, they do represent a vast improvement. Most security experts believe there are gaps in most company’s security tools.
The newer cyber risks include medical devices. Hackers can now hack into almost anything including medical devices and appliances due to the expansion of the Internet of Things (IoT). Since so much information is now available in the Cloud, it’s more important than ever to protect this data.
The Symantec and HIMSS Analytics study[2] covers the current position of healthcare organizations as to their investment and efforts to strengthen their security. It accentuates some of the vulnerabilities that many organizations still have. There is one positive finding from the survey showing that healthcare organizations have matured in their understanding of cyber security. In the past, a lack of understanding about hacking, malware, and ransomware has prevented many businesses from taking the threat seriously enough.
In the past, a company viewed cybersecurity as a responsibility of their IT department. They did not get involved in what was done to protect company data. Instead, they relied on their CIO or IT staff to do the right things to protect company information. Today, things have changed. Cybersecurity is discussed on every level, from the mail room to board meetings. According to the report, stronger security measures have been recently taken by eight out of ten organizations. However, about half of them admitted that they know they are vulnerable on some levels.
Another finding indicates that 60 percent of healthcare providers believe that risk assessment, not HIPAA compliance, is a more effective method of securing data against cyber thieves.
This progress has faced a few challenges as discovered in the research conducted by the Symantec and HIMSS Analytics survey. The main challenges faced were the efforts to acquire enough resources to counter the continually evolving threat margin. During 2017, the U.S. Department of Health and Human Services reported that there were 295 data breaches at hospitals and healthcare providers. That number is expected to triple for 2018.[3]
A number of hindrances to improving security programs in the healthcare industry were cited. Not surprisingly, about 73% said that budgetary restrictions were a significant barrier. Staffing came in second with lack of the essential skills a close third.
The survey also discovered that there was a substantial lack of sustained investments in cybersecurity by healthcare providers. According to the respondents, 74% of the providers set aside 6% or less of their IT budget to IT security. Nearly 45% of the health organizations’ respondents allocated only 3% on security. These IT expenditures have remained about the same for three years in a row. In comparison, the financial industry spent an average of 10 to 12 percent of its IT budget on security.[4]
There are a number of steps suggested by the research report in the form of recommendations that all healthcare organizations can take to improve their risk management:
- Create greater awareness among employees and conduct regular training across the organizations.
- Engage the Board on implications and the risks of failing to allocate adequate resources to invest in better cybersecurity resources and tools.
- Employ a comprehensive cyber defense platform that addresses each gateway cyber-thieves use.
- Ensure all the stakeholders (IT, Legal, PR and Communications, Clinical Staff, Executives, etc.) are actively involved in Incident Response planning.
According to Alex Wirth, a blogger who analyzed the research report by the two institutions, “Every aspect of a provider’s approach to cybersecurity must be conducted from a business risk perspective”.
His opinion expresses that of many IT security experts. The only way that cybersecurity for the healthcare industry will be given the seriousness it deserves is for everyone involved to realize that this problem will not just go away. It must be addressed and given the time, attention, resources, and money that it requires to stop the spread of cyber theft. In the long run, this is the most sensible and cost-effective approach.
CONCLUSION
All of the security people and resources involved in cyber security for a healthcare organization must work together in order to maximize detection and curb security events. The best way to go about this is to keep the board informed and adopt an effective security framework. A sufficient budget for IT security must be allocated each year. Otherwise, care delivery and patient safety will be highly compromised.
[1] https://www.symantec.com/connect/blogs/new-research-healthcare-organizations-bolstering-cybersecurity-budgets-and-resources-significa
[2] https://resource.elq.symantec.com/LP=2713
[3] http://www.healthcareitnews.com/slideshow/biggest-healthcare-breaches-2017-so-far?page=1
[4] https://www.sans.org/reading-room/whitepapers/analyst/risk-loss-security-spending-financial-sector-survey-34690