Black Book: healthcare still not taking cybersecurity seriously

Without effectively filling healthcare cybersecurity positions, it can be difficult for organizations to ensure that sensitive health data remains secure.

Jeff Rowe | Jan 10, 2018 12:00 am

It should go without saying that the more health IT systems end up in the cloud, the more attention health IT managers should be paying to cybersecurity concerns.  But that doesn’t seem to be the case.

According to a recent Black Book survey, eighty-four percent of healthcare organizations do not have a cybersecurity leader.  Furthermore, just 11 percent stated they plan to get a cybersecurity officer for 2018.

Black Book surveyed 323 strategic decision makers at US healthcare organizations, including providers and payers, finding also that only 15 percent of organizations have a chief information security officer (CISO) currently in charge.

"The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," Black Book Managing Partner Doug Brown said in a statement. “Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge.”

One-third of payers surveyed said they currently have an established cybersecurity program manager, and 44 percent reported they planned to recruit a candidate for the role in 2018. Just over half of all respondents said they do not conduct regular risk assessments, while 39 percent stated they do not conduct regular firewall penetration testing. Nearly all surveyed C-suite members – 92 percent – said potential data breach threats and cybersecurity itself are still not key focus areas for their boards of directors.

Additionally, 89 percent of respondents said their 2018 IT budgets were dedicated to business functions with provable business cases. “Only a small fraction” was being saved for cybersecurity, the survey found.