The 2021 HIMSS Healthcare Cybersecurity Survey was published this week. It shows an industry that's grappling with an ever more complex attack surface and relentless adversaries – but largely still limited by inadequate security budgets and defense strategies that are too often reactive instead of proactive.

WHY IT MATTERS
The findings of the 2021 survey, which was sponsored by Carahsoft, do show some progress. HIMSS (the parent company of Healthcare IT News) polled 167 healthcare cybersecurity professionals for the 13th annual report and found that a majority of respondents (59%) reported an increase in cybersecurity budgets in 2021 when compared to 2020.

But "myriad of challenges, including tight budgets, aging infrastructure and an increase in social engineering and ransomware attacks," remain, the report shows. In fact, 67% percent of poll respondents reported that their healthcare organizations experienced "significant security incidents" in the past 12 months, according to HIMSS.

That makes the fact that 34% of healthcare organizations' security budgets "did not substantially change" in the face of increased threats – or, worse, that 6% of respondents said their cyber spending actually decreased – that much more discouraging.

"Our advancement towards robust healthcare cybersecurity is stymied by tight budgets, growing legacy technology footprints and a haphazard patchwork of security controls," said HIMSS researchers. "Our healthcare organizations' vulnerabilities are growing, yet more progress needs to be made to proactively detect and manage vulnerabilities."

Unsurprisingly, the report shows phishing and ransomware to be the most common security incidents across all healthcare organizations, with financial information still the top target of cyber bad actors, with employee information and patient data not far behind.

The human factor continues to be a major vulnerability – and, exacerbating that risk, the poll shows that many organizations have not fully implemented even basic security controls.

Even though more than half of respondents say they've increased their security spending, it's worth noting that it still represents just 6% of the typical IT budget.

For those that are upping their investments, these are where they're prioritizing, according to the report:

• More upgrades of security solutions (63%)

• More acquisitions of new security solutions (56%)

• Increase in cybersecurity staffing (53%)

• More maintenance of existing infrastructure (48%)

• More security risk assessments or more comprehensive security risk assessments (48%)

• More robust security risk management (47%)

• Increased security awareness training (34%)

• More frequent penetration testing (31%)

• Increased cybersecurity training for IT & IT security staff (28%)

Still, there are not-insignificant challenges that need shoring up, the HIMSS report shows, many of them related to technical debt and outdated technologies.

"Unsupported legacy operating systems aren't commonplace in healthcare organizations, and the footprint is growing," researchers said. Meanwhile, "many organizations are slow to patch," even if "patching is quicker in response to an active security incident."

THE LARGER TREND
"The 2021 HIMSS Healthcare Cybersecurity report provides an in-depth analysis of what's happening across the industry," said HIMSS director of privacy and security Lee Kim. "Some improvements exist, but we still have a long way to go. In this report, we challenge assumptions and ask probing questions to understand what's really happening."

Among the insights to be gained in the study: some granular data about the deployment status across the industry of basic security controls (antivirus/anti-malware and firewalls), second-tier security controls (network monitoring tools, web security gateways, multi-factor authentication and identity/access management) and more advanced third-tier controls (data loss prevention, single sign on, mobile device management, zero trust and more).

One promising approach to readiness and risk mitigation has been bug bounty programs, which offer incentives for teams of researchers to sniff out and report software vulnerabilities that devs and security teams might otherwise have missed.

At the moment, according to the report, "the vast majority of respondents (89%) reported that their healthcare organizations do not participate in bug bounty programs."

ON THE RECORD
"The findings of the 2021 HIMSS Healthcare Cybersecurity Survey suggest that healthcare organizations still have significant challenges to overcome," HIMSS researchers write. "These barriers to progress include tight security budgets, growing legacy footprints and the growing volume of cyberattacks and compromises.

"Additionally, basic security controls have not been fully implemented at many organizations. But perhaps the largest vulnerability is the human factor. Healthcare organizations should do more to support healthcare cybersecurity professionals and their cybersecurity programs."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.