Eighty-four percent of U.S. healthcare providers don’t have a cyber security officer, and only 11 percent plan to add one in 2018, according to a recent Black Book Research survey of 323 strategic decision makers at U.S. healthcare provider and payer organizations.
At healthcare payer organizations, the outlook is slightly better — 31 percent have an established cyber security manager, and 44 percent plan to hire one in the coming year.
Just 15 percent of all responding organizations currently have a CISO in place.
“The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks,” Black Book managing partner Doug Brown said in a statement.
Fifty-four percent of healthcare providers don’t conduct regular risk assessments, and 39 percent don’t carry out regular penetration testing. “These results may not be all that surprising, however, considering some of the new solution providers are offering passive monitoring for their networks and the upfront costs have been dramatically slashed,” Brown noted.
At the same time, fully 92 percent of C-suite respondents said cyber security and the threat of a data breach still aren’t major talking points with their boards of directors — and 89 percent said IT funds budgeted for 2018 are focused primarily on business functions, with only a small fraction allocated to cyber security.
“Cyber security has to be a top-down strategic initiative, as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” Brown said.
A separate survey of 1,300 U.S. physicians by Accenture and the American Medical Association (AMA) found that 83 percent of respondents have experienced a cyber attack in their clinical practices.
Sixty-four percent of those who were attacked experienced up to four hours of downtime, and 29 percent of those in medium-sized practices experienced almost a full day of downtime.
Fifty-five percent of respondents said they’re very or extremely concerned about future cyber attacks in their practice — 74 percent said such attacks could interrupt their clinical practices, 74 percent said they could compromise the security of patient records, and 53 percent said they could impact patient safety.
“The important role of information sharing within clinical care makes healthcare a uniquely attractive target for cybercriminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” AMA president David O. Barbe said in a statement.
“New research shows that most physicians think that securely exchanging electronic data is important to improve healthcare,” Barbe added. “More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, [confidentiality] and integrity of healthcare data.”
Two thirds of respondents believe greater access to patient data both inside and outside their health system would help them provide quality patient care more efficiently, though 83 percent said HIPAA compliance alone isn’t sufficient to protect that data.
“Physician practices should not rely on compliance alone to enhance their security profile,” Kaveh Safavi, head of Accenture’s global health practice, said in a statement. “Keeping pace with the sophistication of cyber attacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”