Top cybersecurity mistakes health organizations make
Despite healthcare organizations' best attempts at maintaining patient confidentiality, the industry regularly accounts for a staggering number of data breaches. According to the latest Identity Theft Resource Center (ITRC) report, more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.
Critics are quick to attribute these breaches to granular issues such as legacy infrastructure or poor identity access management. However, bigger picture problems include underinvestment in critical systems, conflation of compliance and security concerns, and an overreliance on internal expertise, that have left many firms without the means to accurately assess and defend against cyber attacks.
There are a number of drivers behind healthcare entities' poor security hygiene. Obstacles from organizational culture to resource allocation make it difficult for firms to embed cybersecurity throughout their operations. Before healthcare organizations can make meaningful strides toward better cybersecurity practices, they must address the underlying causes that leave them vulnerable in the first place.
Compared to other industries, healthcare organizations don't adequately invest in security leadership, nor do they have a vast talent pool from which to pull. An ISACA study from early 2015 found that 86% of organizations feel there's a global shortage of skilled cybersecurity professionals. As a result, many healthcare organizations are living without chief information security officers (CISOs), or they are promoting IT directors and adding security to their purview.
Without CISO representation, organizations lack a board presence to address cybersecurity-related issues, or advocate for solving them. Providers are not expected to become cybersecurity gurus in their own right, but failing to appoint IT security leaders makes it too easy to ignore security concerns until a crisis strikes. Tacking security on to existing directors' responsibilities isn't a sound fix either; instead, it can lead to more mismanagement and internal vulnerabilities.
Security should be handled separately from day-to-day IT concerns, and healthcare organizations’ leadership structure should mirror this. Without a clear chain of command with regard to cybersecurity, everyone’s problem quickly becomes nobody’s problem.