Black Book announced key findings from a Q4 2017 survey that found that more than eight in 10 provider organizations lack a reliable enterprise leader for cybersecurity, while only 11 percent plan to get a cybersecurity officer in 2018. When it comes to payers, 31 percent have an established manager for cybersecurity programs currently, with 44 percent planning to recruit a candidate in the New Year.
Black Book revealed that the healthcare industry continues to underestimate security threats as attackers continue to seek data and monetary gain. "The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," said Doug Brown, Managing Partner of Black Book.
The survey also advised on the hesitation of healthcare provider organizations in adopting the best practices for cybersecurity. 54 percent of respondents admitted they do not conduct regular risk assessments, while 39 percent don't carry out regular penetration testing on their firewalls. "These results may not be all that surprising, however, considering some of the new solution providers are offering passive monitoring for their networks and the upfront costs have been dramatically slashed," said Brown.
However, 92 percent of the C-suite officers surveyed state that cybersecurity and the threat of data breach are still not major talking points with their board of directors.
"Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge," said Brown. 15 percent of all healthcare organizations responding to the survey claim to be taking cybersecurity seriously by having a chief information security officer (CISO) in charge now.
For attackers looking to steal valuable data with minimal effort, the healthcare industry is a prime target. "The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks," said Brown.
89 percent of respondents reported in 2018, budgeted IT funds are dedicated toward primarily business functions with provable business cases and only a small fraction is being allocated to cybersecurity.