An overwhelming majority of healthcare providers do not have a point person for cybersecurity, according to a survey released this week.
Eighty-four percent of provider organizations said they lack a reliable leader for enterprise cybersecurity, and just 11% say they plan to fill a cybersecurity leadership position in 2018. The survey, conducted by Black Book, included responses from more than 300 “strategic decision makers” at U.S. healthcare organizations.
The payer industry placed a bigger premium on security leadership, with 31% of respondents indicating they have someone who oversees their cybersecurity program and 44% planning to fill the position next year.
The survey paints an unflattering portrait of healthcare’s cybersecurity posture. More than half of providers said they do not perform regular risk assessments and nearly 40% admitted they don’t conduct penetration testing.
But those statistics diverge from another survey conducted by the Healthcare Information and Management Systems Society (HIMSS) this year, which featured input from 126 information security professionals across a variety of healthcare sectors. Among those respondents, 60% said they have a dedicated senior executive for cybersecurity.
Part of that traces back to a lack of cybersecurity talent. Experts on the Department of Health and Human Services Cybersecurity Task Force outlined the shortage in a report released earlier this year, noting that small rural providers are particularly susceptible to what the report categorized as a “severe” shortage.
But another key reason for the lack of cybersecurity roles traces back to the board, according to the Black Book survey. More than 92% of executives surveyed said data breach threats are not a priority for their board of directors, according to the Black Book survey.
“Cybersecurity has to be a top-down strategic initiative as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” said Doug Brown, managing partner of Black Book.