Cybersecurity Leadership is Limited at Many Health Care Orgs: Study

You could be forgiven these days for thinking that there was a large-scale health care data breach every other day, with the degree to which they’ve dominated headlines. Indeed, an Accenture study from earlier this year found that 26 percent of Americans have had their data breached. And in May, the “WannaCry” ransomware attack caused chaos around the world, including for health care organizations. A common thread after breaches has been experts urging health care organizations to take cybersecurity more seriously—but as the results of a new Black Book Research study highlight, many appear not to be taking all the necessary steps to do so. As Healthcare IT News first reported, Black Book researchers found that the majority of health care organizations lack cybersecurity leadership, and that many fail to adhere to cybersecurity best practices, putting them at risk. Said Black Book managing partner Doug Brown in a statement, “The low security posture of most health care organizations may prove a target demographic for which these attacks are successful.”

The researchers surveyed more than 300 people classified as “strategic decision makers” at health care organizations throughout the United States. They found that more than eight in 10 organizations did not have “a reliable enterprise leader for cybersecurity.” What’s more, a mere 11 percent reported that they would be hiring a cybersecurity officer in 2018. Payers fared a little better; 31 percent reported having a cybersecurity leadership position, while 44 percent had plans to fill such a position in the next year. Many organizations also seem to be largely failing to adhere to key cybersecurity best practices; per Black Book, “54 percent of respondents admitted they do not conduct regular risk assessments, while 39 percent don’t carry out regular penetration testing on their firewalls.”

One key reason why organizations may not be prioritizing cybersecurity to the degree that they should: a lack of interest from corporate leadership. The Black Book press release notes that an overwhelming 92 percent of respondents told researchers “cybersecurity and the threat of data breach are still not major talking points with their board of directors.” Buy-in from an organization’s leadership, Black Book’s Brown notes, is crucial when implementing any cybersecurity initiative. “Cybersecurity has to be a top-down strategic initiative as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” he said in the press release.

Click here to read the Healthcare IT News article on cybersecurity leadership at health care organizations.

Click here to read the Black Book Research press release on the cybersecurity study.


Leave a Reply