New Study Pegs Hospitals as ‘Sitting Ducks’ for Cyberattacks

• It takes 70% longer to fill cybersecurity roles in health systems than other IT jobs
• 75% of CISOs said experienced cybersecurity professionals are unlikely to choose the healthcare industry as a career path because of the hurdles associated with the job
• More than in other industries, healthcare CISOs are ultimately held responsible for a data breach
• 90% of employees who shifted to remote work did not receive updated cybersecurity guidelines or training
• Cybersecurity shortages are forcing a rush to acquire services and outsourcing

Maintaining good cybersecurity hygiene in healthcare settings has become a nightmare, new research indicates. IT budgets are tight, staff and skills are lacking, and leadership is hard to find as the impact on a CISO’s career is simply too big in case of a security incident.

While some studies project a positive outlook for the global cybersecurity workforce, the healthcare industry doesn’t quite fit that model, according to Black Book Research. The firm’s surveys with various providers and job ranks have uncovered concerns about the state of cybersecurity in healthcare today. According to the research, there are so many gaps, vulnerabilities and deficiencies that healthcare institutions are essentially ‘sitting ducks’ for malicious actors.

A ‘people’ problem

Ninety-six percent of IT professionals in one survey said cybercriminals are outpacing their organizations’ defenses, leaving providers at a disadvantage in responding to vulnerabilities.

In a survey of 291 healthcare human resources executives,the researchers found it takes 70% longer to fill cybersecurity roles in health systems than other IT jobs.

In a poll of 66 health system CISOs, three quarters said experienced cybersecurity professionals are unlikely to choose a career in the healthcare industry because of hurdles associated with the job– especially in a cyber incident.

“More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority,” according to the report.

Remote work and cloud-based operations

Healthcare cybersecurity has become even more complicated amid the COVID-19 pandemic, as understaffed IT security departments are scrambling to accommodate the surge in demand for remote services from patients and physicians while also responding to the surge in security risks.

90% of health systems and hospital employees who shifted to a work-at-home assignments due to the pandemic did not receive updated guidelines or training on the increasing risk of accessing sensitive patient data.

"Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem," said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.

To mitigate some risk, 59% of health system CIOs surveyed are shifting security strategies to address user authentication and data access.

Cybersecurity outsourcing (MDR/SOC) in high demand

Also among the C-suite, 69% said their health system's budget for cybersecurity consulting is increasing in 2021 to address gaps, secure network operations, and user security on-premises and in the cloud.

More importantly, the shortage of cybersecurity professionals and lack of appropriate technology solutions are forcing a rush to acquire services and outsourcing. Vendors, for their part, are responding to the labor crunch by offering healthcare providers and hospitals a growing portfolio of managed cybersecurity services, like Managed Detection and Response (MDR), or Security Operations Center as a Service (SOCaaS), the research showed.

Other findings include:

• Cybersecurity spending is increasing in the healthcare industry, averaging 21% year over year since 2017
• 80% of healthcare organizations have not had a cybersecurity drill with an incident response process, despite skyrocketing cases of data breaches in the industry
• Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020
• 93% of healthcare consumers who used medical or hospital services in the last 18 months said they would leave their provider if their privacy was comprised in an attack that could have been prevented