According to a new study, 2019 has been yet another brutal year for healthcare cybersecurity. In 2019, so far, nearly four out of five breaches in the industry struck health care providers. And 53% of those attacks were at the hands of external attackers, respondents to a new survey said.
The findings from Black Book Market Research LLC are based on a survey of more than 2,876 security professionals from 733 healthcare providers. Black Book Market Research said the objective of the research was to identify gaps, vulnerabilities and deficiencies that persist in when it comes to information security defenses.
Further, the survey found, more than 93% of healthcare organizations have experienced a data breach since Q3 2016 and 57% have had more than five data breaches during the same period. The increased pace of attacks is taking its toll on data exfiltration and patients: more than 300 million records have been stolen since 2015, affecting about one in every 10 healthcare consumers.
These hefty numbers reveal a significant increase in attacks that target healthcare organizations. Much of the motivation is the high value of healthcare data. This data can be often used for everything from blackmail to medical identity theft and fraud.
Tight budgets in the healthcare industry, as well as legacy systems and technical debt, have hindered the ability of many in the industry to budget for security defenses appropriately. "It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue," Doug Brown, president at Black Book Market Research said in a statement.
How tight gave budgets become, 90% of hospital representatives asked said that their security budgets have remained flat since 2016. Still, the percent of the security budget has increased to become about 6% of the total annual IT budget for 2020.
Interesting, physician organizations and associated groups reported a decrease in their cybersecurity spending, with less than 1% of their IT budgets earmarked for cybersecurity in 2020. As a former cybersecurity czar said decades ago: if you spend more on coffee than on IT security you will be hacked and you deserve to be hacked.
Unfortunately, patients don’t deserve to have information about them exposed.
The survey also found, in addition to tight budgets, questionable decision-making processes when it comes to security budget decisions. The Black Book Market Research found that one-third of hospital executives that purchased cybersecurity tools between 2016 and 2018 said that they “did so blindly without much vision or discernment.” And the report also found that 92% of the data security product or service decisions since 2016 were made at the C-level and failed to include any users or affected department managers in the cybersecurity purchasing decision. Only 4% put into place a steering committee that could evaluate the impact of security investments.
Thirty-five percent of healthcare organizations did not scan for vulnerabilities before they were attacked.
"The situation did not improve in 2019 and dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data," said Brown. "Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet, including AI," he added.
A clear barrier to successful healthcare security is very likely the lack of dedicated security leadership in these organizations. The survey found that only 21% of hospitals report having a dedicated security executive, although only 6% identified that individual as a Chief Information Security Officer or CISO. That figure is a slight increase over the 16% of hospitals that reported having a dedicated security executive in the previous year’s survey. Additionally, 84% of hospitals and 65% of payer organizations did not have full-time cybersecurity employees.
The lack of dedicated security leadership is the drive behind 21% of organizations choosing to outsource their security efforts.
According to the report, the dearth of cybersecurity professionals in the healthcare industry has also pushed many to buy more cybersecurity products and services at a pace six times faster that the previous year. "The key place to start when choosing a cybersecurity vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization's risk framework to select your best-suited vendor," said Brown. "Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively and not proactively."
The lack of security leadership has also created a blind spot. According to 70% of managers in the survey, their operations teams are not aware of the variety of cybersecurity tool sets that exist, including mobile security, intrusion detection, attack prevention, forensics and testing. On the previous year, 57% of respondents reported not having a good understanding of the cybersecurity product and service landscape.
Further, 60% of surveyed CIOs did not evaluate the total cost of ownership before making security service or product commitments and 91% said that they bought their cybersecurity product or service to be compliant, not to necessarily reduce risk.
Many providers aren’t assessing their security tools or running incident response drills. The survey found that 40% of providers surveyed still do not carry out measurable assessments of their cybersecurity status. Of those that did, 19% used an objective third-party service to benchmark their cybersecurity readiness, 7% used software to benchmark their cybersecurity status and 73% self-assessed with their own criteria.
These breaches are costly. In another Q3 2019 survey by Black Book Market Research, marketing leaders within organizations that suffered a data breaches in the 18 months prior to the survey reported spending between $51,000 and $100,000 in unbudgeted marketing expenses to fight negative impressions and support the hospital brand in the face of publicly disclosed data breaches.
Interestingly, perhaps most disconcerting is that 94% of hospitals have not bolstered their cybersecurity protections since their last breach and 58% of hospitals said that they selected their current security vendor following a cybersecurity incident. "Providers are at a severe disadvantage when they are forced to hastily retain a cybersecurity firm in the midst of an ongoing incident as the ability to conduct the necessary due diligence is especially limited," said Brown.
There was some hopeful news, more hospitals believe that they will improve year over year. While only 27% of hospitals believe that they will have improved a year after this survey, that does reflect a 12% improvement year over year.
Still, nearly a third of hospital leaders believe their cybersecurity position will worsen and 79% of physician groups foresee increased cyber-attacks, as compared to 4% in other industries. Also, the number of healthcare organizations that haven’t formally set specific security objectives and requirements in a strategic and tactical plan, fell from 60% in 2018 to 47% in 2019.
While healthcare providers have big enough challenges in front of their simply delivering patient care and getting reimbursed, security isn’t front of mind. "Cybersecurity risks are not at the forefront of executives' minds," said Brown. "Medical and financial leaders also wield more influence over organizational budgets making it difficult for IT management to implement needed cybersecurity practices despite the existing environment."
The study estimates the cost of data breaches by hospitals that were actually breached averaged $423 per record.