Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council

Key Findings

The following summarized findings, detailed more fully in the Analysis Section and Appendix of this Study, highlight the security gaps and/or weaknesses that prevent healthcare organizations from effectively reducing risk and achieving a resilient cybersecurity posture over time.

  • LACK OF INCIDENT RESPONSE PLANNING Only 35 percent of respondents say Security and IT management and senior leaders work closely to manage cybersecurity risks and put an effective cybersecurity incident response plan in place.
  • LOW SENIOR LEADER INVOLVEMENT Only 39 percent of respondents say senior leaders are involved in prioritizing cybersecurity threats, determining the organization’s willingness to accept a certain level of risk and identifying strategies to minimize risk.
  • LAX THIRD-PARTY VENDOR OVERSIGHT Dependency on services and products provided by third parties will increase over the next three years, but few organizations take steps to assess potential security vulnerabilities. Only 38 percent of respondents say their organizations are proactive in understanding third-party relationships, monitoring and overseeing vendors and monitoring and enforcing contract terms.
  • ENTERPRISE SILOS Organizational silos prevent staff from effectively addressing cybersecurity risks in a timely manner; ensuring compliance with privacy and security regulations; and implementing enterprise-wide strategy to minimize risks to sensitive and confidential data. A cross-functional approach to data protection would reduce risk associated with these silos. Only 41 percent of respondents say senior leaders take a cross-functional approach to identifying gaps in security and vulnerabilities in order to understand, prioritize, mitigate, and communicate risks.
  • INSUFFICIENT INCIDENT RESPONSE READINESS Most organizations have a cybersecurity incident response plan, but it is rarely exercised. Sixty-three percent of respondents say their organizations have a cybersecurity incident response plan, but 59 percent of respondents say it is either exercised annually (23 percent), at no set time (20 percent), or only when their organizations have a cybersecurity incident.
  • LACK OF INVENTORY TRANSPARENCY Healthcare organizations are at risk because they do not have an inventory of critical applications and hardware and software.
  • DATA STRATEGY FAILS TO ADDRESS MOST SERIOUS RISK Data management strategies do not address the most serious security risk. Less than half of respondents (47 percent) say the risk of cyber criminals, and only 39 percent of respondents say data breaches are addressed.
  • INCONSISTENT TRAINING Less than half of respondents (48 percent) say their organizations require mandatory cybersecurity training for the workforce using technologies. Though mandatory, respondents say training is ad hoc (40 percent), only upon joining the organization (40%), or only when the organization has a security incident (32 percent).