Black Book: 84% of hospitals lack a dedicated security leader

With attacks continuing unabated and healthcare again expected to be 2018's top cyber target, just 11 percent of providers plan to get a cybersecurity officer in 2018, the new research report finds.
By Bill Siwicki
02:01 PM
Share
Black book cybersecurity report

One would think, after all of the high-profile cyberattacks on healthcare, from WannaCry to Petya to NotPetya, not to mention countless smaller assaults, that healthcare C-suite executives would take cybersecurity deadly seriously. That doesn’t seem to be the case, according to a new Q4 2017 survey from Black Book Research.

Eighty-four percent of provider organizations lack a reliable enterprise leader for cybersecurity, while only 11 percent plan to get a cybersecurity officer in 2018, found the survey of 323 strategic decision makers in the U.S. healthcare industry.

When it comes to payers, 31 percent have an established manager for cybersecurity programs currently, with 44 percent planning to recruit a candidate in the new year, the survey said.

"The low-security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," said Black Book Managing Partner Doug Brown. "Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge.”

Future-proofing security

Why cybersecurity is top of mind for forward-looking healthcare orgs.

The survey also shed light on the hesitation of healthcare provider organizations in adopting best practices for cybersecurity. 54 percent of respondents admitted they do not conduct regular risk assessments, while 39 percent do not carry out regular penetration testing on their firewalls.

"These results may not be all that surprising, however, considering some of the new solution providers are offering passive monitoring for their networks and the upfront costs have been dramatically slashed," Brown said.

Still, a whopping 92 percent of the C-suite executives surveyed said cybersecurity and the threat of data breach are not major talking points with their board of directors.

Fifteen percent of healthcare organizations do appear to be taking cybersecurity seriously, by having a chief information security officer in charge today, the survey showed.

But by and large, for hackers looking for valuable data with minimal effort, the healthcare industry remains a prime target.

"The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks," said Brown.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com