Consulting firm CynergisTek, Inc. has revealed the findings of its CAPP Community Conference: Cybersecurity 2019, which surveyed approximately 60 C-level healthcare executives about their cybersecurity practices. And from a medical device standpoint, the results were telling.
Specifically, the survey found that respondents were most concerned about the risks associated with the Internet of Things, medical devices, third-party vendors, and program development/management. However, the data also pinpointed some of the barriers or disconnects within the organization to solve these issues, like executive leadership buy-in. Most notably:

  • Nearly one-third of respondents reported that medical device security is one of the top five risks facing healthcare according, according to the Health Industry Cybersecurity Practices; however most reported not having an effective strategy in place to assess the risks posed by medical devices. Even more alarming, 26% said they don’t have any process in place at all.
  • “Culture” was listed as the leading difficulty (over compensation and training) in retaining cybersecurity professionals.
  • 54% of those surveyed said the biggest barrier to meeting privacy and security challenges was due to lack of adequate resources (tools, money, or people), and only 13% was due to senior management buy-in. However, in a follow-up question, 40% responded that they didn’t know if their board members were more or less involved with cybersecurity and privacy programs than they previously had been.

“The fact that the vast majority of respondents report a lack of resources as a serious constraint against their cybersecurity program, and senior management buy-in as the least concern, shows there is a huge disconnect happening and is extremely troubling,” says David Finn, executive vice president of strategic innovation at CynergisTek.

Finn adds: “If executive leadership truly understood the business risks posed by inadequate cybersecurity and realized the major operational, financial, and patient safety implications a security incident can have, they would ensure any and all resources needed were available. We need to make sure we are effectively communicating these issues to executive leadership so they make cybersecurity a business priority.”