Healthcare data breaches were widespread in 2019. Next year will be worse.

New survey finds that healthcare systems’ security is being wildly outpaced by hackers.

Healthcare data breaches are on course to top $4 billion in costs in 2019 and the future is looking bleak, according to a new survey from Black Book Market Research LLC.

The report on the survey shows that so far in 2019, the healthcare industry has been the most targeted for cybersecurity breaches. Nearly 80 percent of breaches were against healthcare providers and 53 percent of all provider breaches were caused by external hacking.

The survey found that 96 percent of IT professionals believe that data attackers are outpacing healthcare enterprises leading to a disadvantage in responding to vulnerabilities. It showed that more than 93 percent of healthcare organizations had a data breach since Q3 2016, and 57 percent had more than five breaches during that time period. This has led to the theft of more than 300 million medical records affecting 10 percent of patients.

The estimated cost of a breach by the respondent hospital organizations that had a breach in 2019 is $423 per record, according to the survey.

Part of the issue, the survey says, is due to budget constraints on IT with respondents saying the critical department makes up an average of six percent of their budget and less than one percent of IT budgets earmarked for cybersecurity in 2020.

About 33 percent of hospital executives who purchased cybersecurity solutions between 2016 and 2018 chose their vendor without much vision or discernment. About 92 percent of data security or service decisions since 2016 were made without any users or affected department managers being involved and only four percent of organizations used a steering committee to study the impact of the investment, the survey said.

Only 21 percent of surveyed hospitals reported having a dedicated security executive and only six percent identified that person as a Chief Information Security Officer (CISO). Only 1.5 percent of physician groups with more than 10 clinicians on staff reported having a dedicated CISO, the survey says.

Still, 58 percent of respondent hospitals did not seek their current security vendor before a cybersecurity incident while 94 percent said they’ve not augmented their cybersecurity protections since their last breach and 35 percent of healthcare organizations didn’t scan for vulnerabilities before an attack, according to the survey.

"The key place to start when choosing a cybersecurity vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization's risk framework to select your best-suited vendor," Doug Brown, founder of Black Book, is quoted as saying in the survey. "Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively and not proactively."