Data breaches in the healthcare industry are happening more often than before. In 2019, the HHS’ Office for Civil Rights received 494 data breaches involving over 500 records so far and there were over 41.11 million healthcare records exposed, impermissibly disclosed or stolen. That figure makes 2019 the worst year ever with regards to healthcare data breaches and the second-worst when it comes to the volume of breached healthcare records.
About four of five data breaches involve the healthcare industry in 2019. The healthcare industry cost as a result of those breaches is estimated to go up to $4 billion in 2020.
The poor condition of healthcare cybersecurity was pointed out by a late 2019 Black Book Market Research survey of 2,876 healthcare security professionals from 733 provider organizations. The survey looked at the condition of vulnerabilities, cybersecurity gaps, and inadequacies in the healthcare industry.
The survey showed that over 93% of healthcare companies encountered a data breach since Q3 of 2016. 57% of surveyed healthcare workers encountered over 5 breaches during that period. Though there’s noticeably a high risk of a data breach, companies do not invest in cybersecurity at a level that is needed. As per 90% of hospital officials surveyed, the level of IT security budgets stayed the same since 2016.
The survey showed that hospital systems have spent 6% more on their cybersecurity budgets. However, physician organizations spend a lesser amount on cybersecurity since 2018 and currently their allocation is under 1% of their IT budget.
When spending money on cybersecurity, organizations often buy solutions blindly or with minimal idea or discernment. The survey revealed that from 2016 to 2018, 92% of data security buying decisions made by the C-suite did not involve any users or concerned department managers.
Despite the fact of attack threats, 92% of healthcare organizations do not have enough full-time cybersecurity experts and just 21% of hospitals claimed having a security executive. Just 6% of the survey participants said there was a person who is the Chief Information Security Officer (CISO). Just 1.5% of physician organizations with over 10 clinicians claimed to have a dedicated CISO.
The healthcare industry needs more CISOs and cybersecurity specialists. However, it is uncertain where those people will be from because of a national deficiency of skilled cybersecurity specialists. Meanwhile, cybersecurity is being outsourced to managed service providers.
The survey also observed these things:
- 96% of IT experts say threat actors are moving faster than medical companies
- Providers are spending more money on marketing to fix ruined reputations following a breach than on dealing with the effects of data breaches.
- 35% of healthcare establishments have not scanned for vulnerabilities prior to an attack
- 87% of healthcare organizations did not have a cybersecurity drill and an incident response procedure
- 40% of companies surveyed don’t assess their cybersecurity status
- 26% of hospital survey participants and 93% of physician groups reported they have no sufficient solution to quickly identify and respond to a cyberattack.