/ Print /

  • linkedin
  • Increase Font
  • Sharebar

    Top cybersecurity mistakes health organizations make


    Despite healthcare organizations' best attempts at maintaining patient confidentiality, the industry regularly accounts for a staggering number of data breaches. According to the latest Identity Theft Resource Center (ITRC) report, more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.

    Critics are quick to attribute these breaches to granular issues such as legacy infrastructure or poor identity access management. However, bigger picture problems include underinvestment in critical systems, conflation of compliance and security concerns, and an overreliance on internal expertise, that have left many firms without the means to accurately assess and defend against cyber attacks.

    CurranCurranThere are a number of drivers behind healthcare entities' poor security hygiene. Obstacles from organizational culture to resource allocation make it difficult for firms to embed cybersecurity throughout their operations. Before healthcare organizations can make meaningful strides toward better cybersecurity practices, they must address the underlying causes that leave them vulnerable in the first place.

    Leadership deficiencies

    Compared to other industries, healthcare organizations don't adequately invest in security leadership, nor do they have a vast talent pool from which to pull. An ISACA study from early 2015 found that 86% of organizations feel there's a global shortage of skilled cybersecurity professionals. As a result, many healthcare organizations are living without chief information security officers (CISOs), or they are promoting IT directors and adding security to their purview.

    HindeHindeWithout CISO representation, organizations lack a board presence to address cybersecurity-related issues, or advocate for solving them. Providers are not expected to become cybersecurity gurus in their own right, but failing to appoint IT security leaders makes it too easy to ignore security concerns until a crisis strikes. Tacking security on to existing directors' responsibilities isn't a sound fix either; instead, it can lead to more mismanagement and internal vulnerabilities.

    Security should be handled separately from day-to-day IT concerns, and healthcare organizations’ leadership structure should mirror this. Without a clear chain of command with regard to cybersecurity, everyone’s problem quickly becomes nobody’s problem.


    Next: Underinvestment in the right technology


    Sean Curran
    Sean Curran is a director in West Monroe Partners’ Technology Infrastructure & Operations Practice, based in Chicago. He has more than ...
    Will Hinde
    Will Hinde is with West Monroe Partners


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Follow Us On Twitter

    Find us on Facebook

    Latest Tweets Follow