Getty Images

87% Health Orgs Lack Security Personnel for Effective Cyber Posture

More than half of health organizations faced cyberattacks that caused $1.8 million in damages, as the majority of security leaders say they lack the needed personnel for an effective security posture.

Eighty-seven percent of healthcare IT security leaders say they don’t have the personnel needed to achieve a more effective security posture, as more than half of healthcare organizations experienced a cyberattack in the past year, according to a new report from Keeper Security.

The numbers are slightly worse than the 2017 Department of Health and Human Services’ Cyber Security Task Force report that showed three in four hospitals were operating without a designated security person.

In total, two-thirds of healthcare providers around the globe have faced a cyber event in their lifetime.

Ponemon Institute conducted the survey of 2,391 IT and IT security leaders around the world to get a sense of the current threat landscape.

The report showed that while it’s true attacks are becoming increasingly sophisticated and targeted, the real challenge for healthcare lies in staffing and budgetary constraints. Just one-third of respondents said they had a sufficient budget for supporting strong IT security.

In fact, 90 percent of healthcare organizations dedicate less than 20 percent of their IT budget to cybersecurity. The average amount is just 13 percent. An earlier report from Black Book research showed that budget constraints make it difficult to replace legacy software and budgets have remained level since 2016 – despite the increase in frequency and sophistication of attacks.

According to the Keeper report, healthcare organizations are then spending an average of $1.8 million in recovery costs stemming from the disruption of normal care operations.

In the last half of 2019  alone, dozens of providers were forced offline due to ransomware attacks, while cyberattacks on three IT vendors forced hundreds of dental and nursing facilities offline.

Despite the need, just half of respondents said they have a plan for responding to a cyberattack.

The report also found healthcare data breaches resulted in an average of 7,202 lost or stolen patient and employee records. The three most commonly reported attacks were phishing (68 percent), malware (41 percent), and web-based attacks (40 percent).

Notably, more than half of healthcare organizations don’t have visibility into their employees’ password practices, despite 66 percent of respondents agreeing passwords are an important part of preventative cybersecurity measures.

The report mirrors a recent Yubico report that showed even health IT security practitioners are engaging in risk password and authentication practices with just 31 percent reporting that they use a password manager, “effective tools to securely create, manage, and store passwords.”

“Electronic health records are some of the most lucrative documents on the dark web, so it’s not surprising that the healthcare industry is highly-targeted by cybercriminals,” Darren Guccione, Keeper CEO, said in a statement. “While the majority of healthcare organizations have already experienced a cyberattack, this research shows the industry still doesn’t have the necessary resources and budget allocated to preventing and responding to major data breaches.

“Patients depend on providers to protect their sensitive health information and moreover, their lives via connected medical devices,” he added. “Therefore, it’s critical that cybersecurity become a top priority in healthcare.”

Both NIST and the The Healthcare and Public Health Sector Coordinating Council have released guides for the healthcare sector to increase the number of cybersecurity leaders within the enterprise, which can help providers get creative when attempting to fill those crucial security gaps.

Next Steps

Dig Deeper on Cybersecurity strategies