Data breaches in the healthcare sector are occurring more frequently now than in the past. In 2019, the HHS’ Office for Civil Rights got 494 data breach reports with more than 500 records affected and the reports indicate over 41.11 million healthcare records were stolen, exposed, or impermissibly disclosed. With that number, 2019 is the worst year ever with respect to healthcare data breaches and the second-worst with regards to the number of breached healthcare records.
In 2019, four of five data breaches were from the healthcare industry. In 2020, the cost of those healthcare data breaches is projected to increase to $4 billion.
A Black Book Market Research survey in late 2019 mentioned the poor state of healthcare cybersecurity. The survey was participated by 2,876 healthcare security experts from 733 healthcare organizations. It studied the healthcare industry’s situation regarding vulnerabilities, cybersecurity gaps, and insufficiencies.
According to the survey results, over 93% of healthcare organizations experienced a data breach from Q3 of 2016. Of the healthcare employees surveyed, 57% experienced more than 5 breaches in that period of time. Although there’s clearly a big risk of having a data breach, organizations still don’t invest more in cybersecurity as needed. 90% of the surveyed hospital officers said that the number of their IT security budgets did not change since 2016.
Hospital systems actually increased their cybersecurity budgets by 6%. Nonetheless, physician organizations spend less on cybersecurity ever since 2018 and their present allocation is below 1% of their IT budget.
Organizations that spend money on cybersecurity frequently purchase solutions blindly or with little thought or discernment. The survey showed that in the period of 2016 to 2018, C-suite made 92% of the data security buying decisions without the involvement of users or particular department managers.
Even with the fact of cyberattack threats, 92% of healthcare providers are short of full-time cybersecurity specialists. Only 21% of hospitals have a security officer. Only 6% of the survey respondents said their company has a Chief Information Security Officer (CISO). Of the physician organizations having more than 10 clinicians, only 1.5% claimed they have a dedicated CISO.
The healthcare sector should have more CISOs and cybersecurity experts. However, it is unclear where to get those people due to a national deficit of skilled cybersecurity professionals. In the meanwhile, organizations outsource cybersecurity to managed service providers.
The survey furthermore observed the following:
According to 96% of IT experts, threat actors move more quickly than medical organizations
Providers spend more cash on marketing to mend damaged reputations after a breach than on defending against data breaches.
35% of healthcare organizations have not conducted vulnerability scans before an attack
87% of healthcare companies have no cybersecurity drills and incident response procedures
40% of organizations do not review their cybersecurity status
26% of hospital survey respondents and 93% of physician organizations claimed they have lack quick solution to identifying and responding to a cyberattack.