Despite healthcare organizations' best attempts at maintaining patient confidentiality, the industry regularly accounts for a staggering number of data breaches. According to the latest Identity Theft Resource Center (ITRC) report, more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.
Critics are quick to attribute these breaches to granular issues such as legacy infrastructure or poor identity access management. However, bigger picture problems include underinvestment in critical systems, conflation of compliance and security concerns, and an overreliance on internal expertise, that have left many firms without the means to accurately assess and defend against cyber attacks.
Curran
Leadership deficiencies
Compared to other industries, healthcare organizations don't adequately invest in security leadership, nor do they have a vast talent pool from which to pull. An ISACA study from early 2015 found that 86% of organizations feel there's a global shortage of skilled cybersecurity professionals. As a result, many healthcare organizations are living without chief information security officers (CISOs), or they are promoting IT directors and adding security to their purview.
Hinde
Security should be handled separately from day-to-day IT concerns, and healthcare organizations’ leadership structure should mirror this. Without a clear chain of command with regard to cybersecurity, everyone’s problem quickly becomes nobody’s problem.