Healthcare executives report a growing number of cyberattacks against their organizations over the past two years, and the vast majority have countered with larger cybersecurity investments to combat those threats.
But analysts say that funding is concentrated too heavily on technology and not enough on staffing.
Two-thirds of healthcare organizations have invested in information security over the past year, according to a survey by KPMG scheduled to be released on Monday. The survey included responses from 100 C-suite executives with technology or security oversight at payer and provider organizations with more than $500 million in annual revenue.
Although cybersecurity spending is a priority given the increasing percentage of organizations that experienced an attack in the last two years, most of that money is going toward new technology, including software, firewalls and encryption. Nearly 8 in 10 respondents said they plan to increase investments in technology and 82% said investments would go toward stronger policies around access to data.
Staffing ranked dead last among planned investments. Just 24% indicated they were investing in hiring and training staff.
“Software can only protect you so far and staff is important when it comes time to respond to a data breach,” Michael Ebert, leader of KPMG’s cybersecurity group in healthcare and life sciences, said in a release. “The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board.”
Two global malware attacks in May and June offered a sobering reminder that the healthcare faces serious threats that can compromise hospital operations. But payers and providers may also be hamstrung by a severe cybersecurity workforce shortage. Members of the Department of Health and Human Services Task Force highlighted the lack of security talent in healthcare organizations as one of the biggest challenges facing the industry.
Although a HIMSS survey earlier this year indicated hospital executives see employee awareness as their biggest threat exposure, 69% of respondents in the KPMG survey said external hacking was the culprit of a cyberattack over the last year, followed by malware introduced through human error.