IT security budgets fail to keep pace with looming threats

Jeff Rowe
IT security budgets fail to keep pace with looming threats

Cybersecurity is a rapidly increasing concern across the healthcare sector, but organizations continue to struggle with a lack of resources, according to new research from HIMSS Analytics and Symantec Corp.

According to the report, which was based on a poll of 115 hospital IT and security personnel, few organizations devote more than 6 percent of IT budgets to data security.  And more than half of those polled said their organizations allocated 3 percent or less of their total IT budget to security in 2015, much less then other industry sector, the report notes.

In addition, “seventy-two percent of respondents said they have five or fewer IT employees allocated to data security, and even when counting employees outside of IT with data security responsibilities, they averaged 10 people focused on security.”

Other findings of the survey include:

  • Most organizations conduct IT security risk assessments only once a year.
  • Only 23 percent have an ongoing, consistent risk-management program.
  • Most organizations are not providing employee training and education needed to build and maintain cybersecurity awareness.
  • Half of the respondents said they are just beginning to address medical device security.
  • Many security leaders have only occasional interactions with top-level leadership.
  • In most healthcare entities, chief information security officers report to the chief information officer, and in effect, police their bosses. Only about 20 percent are independent.