Health Execs Say Vendors Are the Worst Cyberthreat. But Most Don't Vet Partner Security

Healthcare executives are most concerned about risks associated with Internet of Things, medical devices, third-party vendors and program development/management, according to the findings of a new survey from CynergisTek.

One of the glaring results of the survey is that despite 40% of health executives claiming that third-party vendors are their organization’s biggest threat, just 60% are doing pre- and post-acquisition security evaluations of vendors. In fact, 13% indicated that they never review vendor security evaluations.

CynergisTek said this finding suggests that evaluations are inadequate and that there is a disconnect between what is being evaluated and the security team.

The survey findings lead up to one conclusion: “It’s time to change our habits,” CynergisTek noted.

While medical devices are a top cybersecurity concern, none of the respondents indicated having an effective medical device strategy in place. What’s more, 26% reported not having a process in place at all. Roughly 75% have a strategy in place but do not know if it’s effective.

Of the respondents, 40% did not know if their board was more or less involved with privacy and cybersecurity compared to past years. These respondents do not know what their boards hear or discuss regarding privacy and security. The remaining 60% said their board is more involved than in years past.

More than half (54%) of respondents said resources are the biggest challenge to meeting privacy and security needs. And 50% said culture is the most important factor for retaining cybersecurity staff.

Healthcare executives indicated that the biggest barriers to changing culture are accountability (39%) and old habits die hard (39%).

While a majority of the executives are most concerned about third-party vendors, social engineering and phishing and insiders each received 27% of the vote.

Despite 28% of respondents claiming that their organization conducts incident response exercises multiple times a year, the same amount indicated they never do.

Nearly 70% answered that resources required to mature their user access monitoring program is the biggest barrier to expanding it. Only 11% said the biggest barrier is executive level buy-in from senior management.

“The fact that the vast majority of respondents report a lack of resources as a serious constraint against their cybersecurity program and senior management buy-in as the least concern shows there is a huge disconnect happening and is extremely troubling,” said David Finn, executive vice president of strategic innovation at CynergisTek. “If executive leadership truly understood the business risks posed by inadequate cybersecurity and realized the major operational, financial and patient safety implications a security can have, they would ensure any and all resources needed were available.”

CynergisTek administered the survey last month to roughly 60 healthcare executives at its Compliance Assist Partner Program Community Conference: Cybersecurity 2019., The survey focused on the pressing issues facing healthcare cybersecurity and privacy. Topics included vendor breaches and risks, new state privacy laws, privacy and security culture and medical device security.

Get the best insights in digital health directly to your inbox.

Related

Key Considerations for Securing Your Digital Healthcare Cloud

Giving Data Security a Human Face to Regain Patient Trust

Why Healthcare Is So Vulnerable to Ransomware and What We Can Do About It