The biggest perceived threats in healthcare are the risks associated with the Internet of Things (IoT), medical devices, third-party vendors and program development/management, a survey of 60 high-level healthcare executives reveals.
The survey, conducted by CynergisTek Inc., a cybersecurity and compliance firm, also pinpointed some of the disconnects within organizations to solve these issues, such as a lack of executive leadership buy-in. Key findings include:
• Of the emerging threat areas discussed, more than 50 percent of respondents said they were most concerned about IoT.
• 40 percent said that third-party risk is the threat that concerns them the most.
• Nearly one-third of respondents reported that medical device security is one of the top five risks facing healthcare, however, most reported not having an effective strategy in place to assess the risks posed by medical devices. Even more alarming, 26 percent said they don’t have any process in place at all.
• Almost half of the organizations reported having conducted an incident response exercise only once or not at all.
• Culture was listed as the leading difficulty, over compensation and training, in retaining cybersecurity professionals.
• 54 percent of those surveyed said the biggest barrier to meeting privacy and security challenges was lack of adequate resources—tools, money, people—and only 13 percent was due to lack of senior management buy-in. However, in a follow-up question, 40 percent said that they didn’t know if their boards are more or less involved with cybersecurity and privacy programs than previously.
“The fact that the vast majority of respondents report a lack of resources as a serious constraint against their cybersecurity program, and senior management buy-in as the least concern, shows there is a huge disconnect happening and is extremely troubling,” David Finn, executive vice president of Strategic Innovation at CynergisTek, said in a news release.
“If executive leadership truly understood the business risks posed by inadequate cybersecurity and realized the major operational, financial, and patient safety implications a security incident can have, they would ensure any and all resources needed were available. We need to make sure we are effectively communicating these issues to executive leadership so they make cybersecurity a business priority.”