While healthcare organizations spent more on information technology from 2016 to 2017, the number of cyberattacks also increased, according to a new survey from the Ponemon Institute.
The healthcare organizations surveyed experienced an average of 16 cyberattacks each in 2017, up from 11 the year before, with the majority of respondents saying patient data had been breached or lost in the last year.
Healthcare organizations with chief information security officers and incident response plans fared the best with these costly threats. Each cyberattack costs nearly $4 million to recover from, while each healthcare organization spent an average of $30 million on IT in 2017.
But just 15% of that budget is spent on information security, according to the survey of healthcare IT and IT security staff. That may not be enough, said Brian Wells, chief technology officer of Merlin International, sponsor of the survey.
Not only are breaches costing organizations money to secure their data and infrastructure, they're also costing them patients. A quarter of consumers switched healthcare providers because of data breaches, according to a 2017 Accenture survey.
"Things aren't getting better fast enough," Wells said. "That stems from a lack of resources, a lack of funding to spend on this, and if they have the funding, they're having a hard time finding people to apply their expertise."
More than half of those surveyed cited insufficient budget as a challenge, and 74% cited insufficient staffing.
While a little more than half of respondents said legacy systems put patient information at risk, about the same percentage said new technologies, such as the cloud, also put that information at risk. Organizations also said that poor employee engagement and inadequate security measures in third-party contracts raised the risk of patient-data breaches.
Increasing employee engagement should begin at the board level so those in charge can allocate more funding to cybersecurity, Wells said. Then, "they need to educate their staff," he added. "Still, employees are not being educated regularly enough. It's not that expensive to provide a training and education program."
Another area organizations need to focus on is medical devices, Wells said. The majority of those surveyed said medical device security was not part of their cybersecurity strategy. "They really need to be worried about medical devices," Wells said.
Part of the problem may be how difficult it is to recruit security personnel, according to the survey. Just a fifth of respondents said recruiting IT security staff was "not difficult." And only half of the organizations surveyed have chief information security officers in place.
"Without that single point of focus and priority-setting and guidance, they're not going to make the progress they need to make," Wells said. "They're not even prepared for the eventual attack," he said of those organizations without dedicated chief information security officers.
That's especially troublesome at a time when attacks—especially ransomware—are becoming more frequent. Recently in healthcare, 70% of attacks using malicious code were ransomware, according to a Verizon study. "The hackers have figured out it's a safe way to make money," Wells said. "That's going to bring more hackers into the field, so (healthcare organizations) aren't going to escape being attacked for long."