Healthcare organizations are putting their money where their security concerns are. Information technology budgets allocated specifically to cybersecurity have grown over the past three years – as the number of healthcare organizations dedicating more than 10 percent of overall IT budgets to cybersecurity has increased 139 percent, according to Future Proofing Healthcare: Cybersecurity, a survey of 101 healthcare IT professionals conducted by HIMSS Analytics and sponsored by Commvault.

This spike in financial support could be emanating from the fact that “healthcare IT professionals are putting cybersecurity concerns in front of CEOs and CFOs to make a case for the budget that they need. There’s no way around that. They are elevating the issue high enough in the organization so they can get the resources required,” said Michael Leonard, senior director, healthcare product management, Commvault. “CEOs and CFOs are now much more aware of the impact not investing in cybersecurity has on their organizations.”

Once funds are secured for cybersecurity efforts, healthcare IT organizations need to decide how to best allocate them. One of the fundamental choices centers around how much to invest in educating existing staff versus technology purchases, or hiring additional staff or consultants to address ongoing threats.

According to the HIMSS Analytics study, increasing employee awareness and training around security issues is emerging as the top concern, as 64 percent of respondents chose such educational efforts as the foremost cybersecurity priority for the next two years. Healthcare IT professionals still acknowledge the value of new technologies – as 53 percent selected improving network design and segmentation as a top priority, while 51 percent chose adopting technologies, tools and controls as a top preference.

Mike Feld, acting chief technology officer at Temple University Health System, however, doesn’t think healthcare organizations should view the decision as an “either-or choice,” but instead should concentrate on getting the right mix of training and new technologies in place.

Healthcare leaders need to arrive at the right “combination of education that leads to changed behavior and technology that helps to protect from cyberattacks. When you look at a particular event such as malware being delivered through email, you have to teach employees that this is what a suspicious email looks like, and you have to educate them to eliminate the behavior that would lead them to clicking on the dangerous malware. At the same time, organizations need to then ‘layer in’ the appropriate technology so they can say to employees, ‘You have to pay attention to your email, but we're going to do our best to eliminate certain components and likely types of email that you might see,’” Feld explained.

While provider organizations are looking to increase educational efforts and adopt new technologies, they are primarily planning to rely on current staff members who are already dedicated to cybersecurity to support security initiatives, as the number of healthcare organizations with at least one full-time employee assigned specifically to cybersecurity is expected to only grow from 80 percent to 87 percent in the next two years.  

Perhaps more important than hiring additional staff or consultants to address security, however, is the fact that responsibility for cybersecurity should permeate across organizations, Leonard said.

“Most providers have IT folks who are responsible for cybersecurity. But responsibility should spread out across the entire organization and could include people from human resources or finance helping to make sure cybersecurity issues are adequately addressed,” said Feld. “Cybersecurity is not just an IT issue, it’s also a corporate culture or health-system-culture issue that goes well beyond IT. Every employee is responsible for cybersecurity at the end of the day.”