New CDW Research Report: Shortages Impact Healthcare Cybersecurity Strategies

Gaining a Clearer Picture of Healthcare Cybersecurity

Having visibility into a healthcare organization’s IT ecosystem is key for detecting and responding to cyberattacks. However, only 47 percent of health IT leaders surveyed say that they are very confident that they have sufficient visibility into their organizations’ cybersecurity landscapes. More than a third of leaders say that they are “somewhat confident,” and nearly 8 percent say that they are somewhat or very unconfident.

When it comes to improving visibility into healthcare environments, IT leaders report that network monitoring, identity and access management, security information and event management (SIEM), and endpoint security tools are the most effective.

Executives must understand that cybersecurity problems can affect every aspect of an organization’s operations, not just IT functions, says Buck Bell, leader of CDW’s Global Security Strategy Office. “The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you’re going to be in your cyber resilience aims. From my perspective, cyber risk is business risk.”

EXPLORE: Zero trust supports cyber resilience for healthcare organizations.

Budget and Training Challenges for Healthcare Cybersecurity

About a quarter of those surveyed say that their organizations lack sufficient budgetary resources. At the same time, reporting to organization leadership is one of health IT leaders’ top stressors.

While reporting to executive leadership and boards can be challenging, there are several practices that health IT leaders can employ to showcase the benefits of cybersecurity investments for health systems. According to the report, the most effective way to justify an increased security investment is to highlight its positive impact, such as increasing operational efficiencies or simplifying logins with single sign-on.

Other effective tactics include:

• Showing the cost of a data breach to the organization
• Explaining the cost of regulatory fines in the event of a breach
• Showing the value of brand trust
• Tying the security budget into a larger initiative such as a digital transformation project, customer experience or a modern workplace initiative

Ensuring proper resource coverage, equipping the team with a robust tool budget, and providing certification and education opportunities are the most effective ways to retain IT security staff, according to the report.

Health IT leaders are also stressed about hours worked, a lack of tools, complying with regulatory standards and a lack of understanding of the importance of cybersecurity within the organization. This is where security training can help. Security training is seen as helpful by more than three-quarters of leaders surveyed.

While security training is considered helpful by most organizations, approximately 34 percent of healthcare leaders say that their organizations lack sufficient or effective employee training for cybersecurity. Without training, healthcare staff, including clinicians, may be more likely to click on malicious links or engage in other unsecure practices that could lead to successful cyberattacks and put patient data at risk.

“Many respondents said they needed better enablement and training for their people,” Hagopian says. “Developing your workforce is really essential so that your team is better equipped to handle the dynamic threat landscape. As a byproduct of comprehensive people development that’s focused not only on technology operations but also on methodologies, processes and frameworks, it will make your people feel more valued within your organization.”

Other areas that health IT leaders say are missing from their organizations’ approaches to cybersecurity include sufficient threat detection (24 percent), sufficient understanding of staffing needs (20 percent) and sufficient planning for incident response (20 percent).

Health IT leaders are also concerned about the pros and cons of AI. Thirty-one percent of those surveyed report that their organizations lack a complete understanding of how AI affects security.

DISCOVER: What role does AI play in healthcare cybersecurity?

Managed Services Support Healthcare Cybersecurity Goals

IT staff shortages can have a major impact on an organization’s ability to meet its technology and security goals. To address this concern, many health systems are turning to managed services. Of the healthcare security leaders surveyed, 80 percent say that managed security services such as security operations centers or SIEM solutions have been helpful for their organizations’ security initiatives. In addition, more than two-thirds of leaders say that they find advisory services to be helpful, while 63 percent say that virtual CISOs are helpful to their organizations.

Only 32 percent of healthcare professionals surveyed say that their organizations aren’t outsourcing any security initiatives. Of the health systems outsourcing areas of their security programs, security training, vulnerability assessments and third-party risk management are the most popular focuses of partner support.

Supporting internal IT teams with managed security services can increase an organization’s overall security posture and mitigate staff burnout. With many health IT leaders reporting losses in the millions due to data breaches over the past five years (9 percent of leaders surveyed reported a loss of more than $10 million), ensuring a holistic and robust cybersecurity and incident response strategy is critical for protecting a business’s bottom line in addition to keeping patient trust and ensuring continuity of care.

“You can find partners to outsource some of these elements out there. Nobody builds their own HVAC system and then sends somebody up to the top to do recharges of the coolant,” says Bell. “Take a look at what you can outsource within the security model to keep your people fresh and doing relevant work for your business.”