Despite Preponderance of Threats, Healthcare Cybersecurity Budgets Still Tight

While last year was disastrous for healthcare security incidents, it seems that cybersecurity budgets still haven’t risen to meet demand.  New research from HIMSS looking at the status of cybersecurity found that while significant security incidents were widespread last year, many healthcare organizations still have no specific carveout for cybersecurity needs in the budgets or continue to maintain modest spending levels to combat the problem.

To conduct the survey, HIMSS researcher spoke with 167 healthcare security professionals, the majority of whom had primary responsibility for cyber security programs at their institutions.

One of the topline findings from the survey was that 67% of the respondents saw their organizations face significant security incidents in the past 12 months. The severity of the most significant security incident during that period generally were medium, accounting for 35% of reports, followed closely by high severity events (32%). Twelve percent of events were classed as critical and 20% as low severity.

Respondents reported that the most significant security event was typically either a phishing attack (45%) or a ransomware attack (17%).  Breach or data leakage accounted for only 7% of episodes, and negligent insider activity was just 5%.

In 71% of cases reported by respondents, phishing was the initial point of compromise, followed by human error (19%), social engineering (15%), and legacy software issues (15%). When it came to the data targeted, financial information led the pack at 52%, followed by employee data (43%), and patient information (39%). Fifteen percent targeted intellectual property or confidential business information, and 6% biometric information. The remaining 11% were classified as “other.”

When respondents were asked to describe the impact of the security incidents, surprisingly 45% reported seeing a digital impact or none at all.  Among those who did report an impact, the top was disruption of systems and devices impacting business operations (32%) or IT operations (26%), data breach or data leakage (22%), disruption of systems/devices impacting clinical care (21%), and monetary loss (17%).

Despite the enormous cybersecurity exposure healthcare organizations face, and despite the massive run of cybersecurity incidents taking place last year, however, cybersecurity budgets remain slim. The majority of respondents to the survey (40%) said that six percent or less of their IT budget was allocated to cybersecurity at present. Not only that, 25% reported there was no specific carveout for cybersecurity budgets.

Just 15% of respondents said their cybersecurity budget fell into the 7 percent to 10 percent range, and only 11% said their cybersecurity budget made up more than 10 percent.

Cybersecurity budgets have remained at six percent or less of the overall IT budget since the HIMSS Cybersecurity Survey was conducted in 2018.

It’s hard to imagine that healthcare leaders would continue to let cybersecurity slide in wake of such a terrible year for security incidents. However, if the past is prologue, it may be that even this won’t convince them to shake up the status quo and spend more on what is so clearly a crying need.

True, the threat landscape may cool down a bit as the pandemic ebbs, but it’s unlikely it will change dramatically for the better. Once again, as I have countless times over the years, I hope to see cybersecurity spending climb for everyone’s benefit.

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

   

Categories