Resource constraints hamper hospital cybersecurity efforts

Despite growing cybersecurity threats against healthcare organizations, many continue to struggle with lack of resources, according to new research from HIMSS Analytics and Symantec Corp.

Few organizations devote more than 6 percent of IT budgets to data security, according to the poll of 115 hospital IT and security personnel. And more than half said their organizations allocated 3 percent or less of their total IT budget to security in 2015. That's much less than other industry sectors, the report notes.

Seventy-two percent of respondents said they have five or fewer IT employees allocated to data security, and even when counting employees outside of IT with data security responsibilities, they averaged 10 people focused on security.

Other findings of the survey include:

  • Most organizations conduct IT security risk assessments only once a year.
  • Only 23 percent have an ongoing, consistent risk-management program.
  • Most organizations are not providing employee training and education needed to build and maintain cybersecurity awareness.
  • Half of the respondents said they are just beginning to address medical device security.
  • Many security leaders have only occasional interactions with top-level leadership.
  • In most healthcare entities, chief information security officers report to the chief information officer, and in effect, police their bosses. Only about 20 percent are independent.

Healthcare is "an industry in turmoil" when it comes to cybersecurity, and patient health is "extremely vulnerable" due to insufficient efforts, a two-year study by Baltimore-based Independent Security Evaluators concluded recently.

In addition, a lack of employee training on security remains especially troubling, according to attorney Mary Ellen Callahan. It's essential to know where your organization's encrypted "crown jewels" are and ensure that they're regularly backed up, she previously told AHA News.

To learn more:
- here's the report