Cyberattacks might come from outside an organization, but hospital executives are overwhelmingly concerned that employees are creating security vulnerabilities.
More than 46% of respondents ranked employee security awareness and culture as their number one concern when it comes to security threat exposure, according to a survey conducted by HIMSS Analytics and sponsored by Level3. The survey included responses from 125 IT professionals, managers and executives, most of whom worked in an acute care hospital or health system.
Employee awareness outpaced several other concerns including exposure from third parties, wireless devices, network design and a lack of actionable intelligence. More than three-quarters of survey respondents ranked employee awareness among their top three concerns.
Recent breach data shows that hospital executives have reason to worry: Nearly 60% of breaches in the month of February were the result of insider threats. According to the most recent Protenus Breach Barometer Report, 44% of incidents in March were triggered by insiders.
“The human factor is the hardest part,” Don Lindsey, vice president and CIO of Tallahassee Memorial Healthcare, recently told FierceHealthcare. “You’re only good as good as your security awareness training program.”
Although one-third of respondents said they were highly concerned about a security breach in the coming year, additional protections are often thwarted by lack of funding and the IT department’s standing within the organization. Nearly 43% of respondents said budgets were the top barrier to broader security controls, while 30% said competing priorities were the number one issue.
Although attitudes appear to be changing among hospital executives and board members, cybersecurity hasn’t always been a high-level priority for an industry focused on patient care, John Riggi, a managing director in BDO Consulting’s Technology Advisory Services practice and the former chief of the FBI’s Cyber Division Outreach Section, told FierceHealthcare.
"[Healthcare] is a huge complex environment with limited resources to spend on cybersecurity,” he said. “Sometimes, internally, there are issues in hospitals where the executives, CEOs and boards have not come to grips with the reality that cyberthreats are not just a technology problem, it’s an enterprise-wide risk issue.”