CynergisTek, Inc. recently announced findings from its first “CAPP Conference Survey.” The survey was administered to attendees of the company’s first inaugural CAPP Community Conference: Cybersecurity 2019 this past May, which focused on tackling some of the most pressing issues facing healthcare cybersecurity and privacy, including vendor breaches and risks, new state privacy laws, privacy and security culture, and medical device security. The survey of approximately 60 C-level healthcare executives revealed the greatest perceived threats and current challenges these organizations are facing in cybersecurity and privacy.
Overall, the findings highlighted that the issues respondents were most concerned about were the risks associated with Internet of Things (IoT), medical devices, third-party vendors, and program development/management. However, the data also pinpointed some of the barriers or disconnects within the organization to solve these issues, like executive leadership buy-in. Most notably:
- 40% responded that third-party risk is the threat that concerns them the most.
- Of the emerging threat areas (5G, AI, IoT, and supply chain) discussed, more than 50% responded that they were the most concerned about IoT.
- Nearly one third of respondents reported that medical device security is one of the top five risks facing healthcare according, to the Health Industry Cybersecurity Practices, however most reported not having an effective strategy in place to assess the risks posed by medical devices. Even more alarming, 26% said they don’t have any process in place at all.
- Almost half of the organizations reported to have conducted an incident response exercise only one time, or to have never done one at all.
- “Culture” was listed as the leading difficulty (over compensation and training) in retaining cybersecurity professionals.
- 54% of those surveyed said the biggest barrier to meeting privacy and security challenges was because of a lack of adequate resources (tools, money, or people), and only 13% was due to senior management buy-in. However, in a follow-up question, 40% responded that they didn’t know if their Boards were more or less involved with cybersecurity and privacy programs than they previously had been.
“The fact that the vast majority of respondents report a lack of resources as a serious constraint against their cybersecurity program, and senior management buy-in as the least concern, shows there is a huge disconnect happening and is extremely troubling,” said David Finn, executive vice president of strategic innovation at CynergisTek. “If executive leadership truly understood the business risks posed by inadequate cybersecurity and realized the major operational, financial, and patient safety implications a security incident can have, they would ensure any and all resources needed were available. We need to make sure we are effectively communicating these issues to executive leadership so they make cybersecurity a business priority.”
The “CAPP Conference Survey” findings reiterate the issues facing the healthcare industry today and the difficulties to keep up with the ever advancing cybersecurity world. The disparity between the severity of these cybersecurity threats and the lack of urgency from organizations to implement a plan or solution is creating a dangerous landscape that many healthcare organizations have fallen victim to. The CAPP Conference provided a platform to help bridge this gap by bringing together industry experts and CynergisTek’s CAPP community members to serve as resources to one another to help address these common issues and work together to find a resolution.
For the complete “CAPP Conference Survey” data, please visit https://insights.cynergistek.com/slideshare/capp-conference-survey.