Despite record number of attacks plaguing the healthcare industry, there is hesitancy to invest in the cybersecurity tools it needs. According to a recently-released KPMG survey, 2017 Cyber Healthcare & Life Sciences, 43 percent of respondents have not increased their security budgets even though the number of breaches in healthcare continue to increase.
In the KPMG study, it is also reported that healthcare organizations are not increasing spending despite awareness that investments in new technologies also comes with new, or changed risks. According to the survey, 53 percent of responses perceive a risk in moving to cloud. That’s followed by 46 percent in as-a-service applications, and 38 percent in clinical decision-making toolsets. These numbers surprise me a little, and perhaps it’s wishful thinking on the part of 47 percent of healthcare respondents who believe that cloud doesn’t change their risk, or perhaps they’re just not aware that moving to cloud doesn’t actually shift the risk to the cloud provider.
In addition to the 43 percent currently not increasing their security budgets, 42 percent have no plan in place to increase their security spending in the next year. And, sit down for this one: 34 percent have not invested in information security at all in the past year.
The survey also highlighted, largely due to increased use of cloud and digital services, that healthcare organizations are outsourcing more of their business functions, from electronic health records to business management software. While awareness and spending on information security may not be on the rise among those surveyed, many are assessing the security stance of their providers either continuously or monthly. It was surprising that about half of survey respondents wouldn’t re-evaluate a services provider due to a security vulnerability.
Here is the complete breakdown of frequency of vendor assessments:
- Continuously: 14 percent
- Monthly: 28 percent
- Quarterly: 39 percent
- Annually: 11 percent
- Not certain: 11 percent
How are healthcare companies assessing their third-party providers? Sixty-six percent have right to audit provisions in their contracts, while 43 percent look at SOC 2/HITRUST certifications and 40 percent survey third-parties. Surprisingly, 47 percent of organizations don’t have a policy in place that would trigger a change in a vendor relationship do to an information security event of some sort. Those that do look at firms with frequent HIPAA violations (25 percent), and malware attack (24 percent).
Finally, while healthcare providers are not investing in security overall, they are investing in stronger processes (82 percent) and more security tools (79 percent) such as encryption and firewalls. However, it’s not clear whether they believe that they already have the expertise on-staff to run these tools or they don’t need them because only 24 percent plan to make investments in security staff.
While many healthcare organizations are seemingly pulling back on their security spending, the Department of Health and Human Services Office (HHS) for Civil Rights recently changed its HIPAA data breach reporting tool in order to make it easier for users to find recent breaches, the department said.
The primary change will be the web page that lists breach reports made in the last 24 months and are still being investigated. All others will be moved to an Archive tab, and include information pertaining to have those situations were resolved.
Additionally, a new Help for Consumers tab was added as an information source for those who believe they have fallen victim to medical identity theft.
“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” said HHS Secretary Tom Price, M.D in a statement. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”