Cyberattacks are on the rise in healthcare, and provider organizations are understandably shaken. In fact, less than half of healthcare IT professionals expressed confidence in their organization’s overall level of cybersecurity, according to Future Proofing Healthcare: Cybersecurity, a survey of 101 healthcare-provider-organization IT professionals conducted by HIMSS Analytics and sponsored by Commvault.
This trepidation around data security is understandable because “healthcare information is a huge target for cyberattackers as the information found in healthcare systems is worth much more than information in other business systems,” said Michael Leonard, senior director, healthcare product management, Commvault.
Interestingly, healthcare IT professionals are feeling more confident about specific components of their data security efforts such as firewall protection (73 percent expressed confidence), data backup and protection (65 percent), file encryption (53 percent) and malware/ransomware security (53 percent) than their overall level of security (48 percent).[JE1]
To bridge this gap, healthcare leaders are acknowledging the need for employee education. In fact, internal security training emerged as the No. 1 way that healthcare providers plan on addressing cybersecurity (88 percent), according to the 101 healthcare IT professionals who were surveyed.
“Traditionally, CISOs and CTOs have assumed that if they just buy X set of products or hire Y set of vendors, their security problems can largely be solved. There’s a fundamental misconception and fallacy in that argument,” said Mike Feld, acting chief technology officer at Temple University Health System. “The first thing is that much of the security comes down to user behavior. There’s no question that there’s a great deal of technology involved. But the truth is, user behavior either can obviate a great deal of that investment, or it can actually support it. And for most organizations, that is the toughest part of data security.”
Leonard agrees that the time is now to start focusing on increasing internal cybersecurity educational efforts at healthcare organizations. “In many cases, cyberattackers are helped inadvertently by the folks who work for the healthcare organization. That can be when somebody in the C-suite is sent an email and believes it is from another C-level person. The recipient makes a bad decision, doesn’t double-check and sends money somewhere. It could be somebody further down in the organization who responds to some sort of phishing expedition and opens up the organization. So, the biggest need right now is to really educate the staff,” he said.
While organizations need to zero in on security education, almost two-thirds of the survey respondents indicated that they are planning additional technology investments as well.
To that end, next-generation firewalls were identified as the practice or service that healthcare IT leaders most expected to implement within the next two years, with 40 percent of respondents planning to leverage these technologies, followed by cyberthreat intelligence, which is in the works for 36 percent of healthcare organizations. The need for both the blocking mechanism and the insight, however, is strong.
“Of course, it is important to have the most effective firewalls in place, but you can no longer just say we have a firewall in place and that nobody can get through it,” Leonard said. “You have to assume that someone will get through the firewall in some way, shape or form – whether it’s through email or some other mechanism. Organizations will need to implement and effectively manage the right mix of technology solutions that will work together to help mitigate, prevent and recover from such attacks.”