The study, based on a survey of 223 U.S.-based health care executives at companies having at least $500 million in revenue, found that health care organizations are facing increased security threats from the adoption of digital patient records, antiquated EMR and clinical applications, the ease of distributing electronic protected health information (ePHI), the heterogeneous nature of networked systems, and the evolving threat landscape.
Michael Ebert, KPMG cyber healthcare and life sciences leader, told SCMagazine.com that the survey results are the symptom of the lack of investment in the cybersecurity.
“Their primary focus is on care, but they also have to spend the right amount to protect their environment,” Ebert said.
Ebert explained that health care organizations can't benchmark their security spending to other industries because they need to spend significantly more due to the uniqueness of the sector.
Eighty-nine percent of payers, insurance companies and 85 percents of providers, hospitals and clinics, reported that cybersecurity has been discussed at the board level. Meanwhile, 88 percent of payers and 86 percent of providers reported that their organizations have invested in cyber security within the past 12 months, according to the report.
Despite these actions, only 53 percent of providers and 66 percent of payers considered themselves ready to defend against cyber attacks.
The number of endpoints and the types of technology that the medical sector uses make it more difficult to update systems and stay on top of security, Ebert said, adding that it will take a collaborated effort between health care providers, device manufacturers and legislators to improve security within the industry.
Some providers still rely on Windows 7 and XP because certain updates to their technology would require FDA approval, Ebert said.
Despite the setbacks, Ebert noted that as a whole the industry is taking steps to improve its security but it will take time.
He said while improving cybersecurity in the health care industry is not a bolt-on fix, he felt confident that organizations were taking cyber security more seriously.
“We're going to get there,” Ebert said. “It's just going to be harder for the health care industry because they're that far behind.”