More than half of the healthcare organizations surveyed in a recent cross-industry cybersecurity study by Travelers admitted they lack a specialized team to handle data breaches. Additionally, a majority of these organizations do not utilize endpoint detection and response tools. Meanwhile, chief information security officers (CISOs) nationwide voiced growing concerns in a recent study by Deloitte and the National Association of State Chief Information Officers (NASCIO).
The study highlights that threats, exacerbated by emerging artificial intelligence technologies, are on the rise, and many CISOs are uncertain whether their teams are adequately equipped to handle them. According to the Deloitte-NASCIO Cybersecurity Study, 86% of state CISOs from all 50 states and the District of Columbia stated that AI, budget uncertainties, cyber threats, and shifting workforces have expanded their data privacy responsibilities. More than one-third reported lacking a dedicated cybersecurity budget, with a significant majority (71%) believing the threat level of AI-enabled attacks is “high.” Additionally, 41% were unsure if their teams could manage all the cybersecurity threats they face.
However, there has been progress. State CISOs have increased their cybersecurity workforce, as noted by Meredith Ward, deputy executive director at NASCIO and coauthor of the report. Many have added specialists focused on cybersecurity issues.
Travelers’ 2024 Risk Index also revealed unprecedented concern over cybersecurity threats within healthcare organizations.
Growing cybersecurity gaps in healthcare
Hart Research contacted more than 1,200 U.S. businesses, including 100 companies in the healthcare sector, to explore their top challenges.
Around 36% of respondents had experienced a security breach, and 27% were victims of extortion or ransomware. Other issues included system glitches, unauthorized access to financial accounts, and employee-related risks. Despite 82% of healthcare organizations believing they had adequate cybersecurity measures in place, 44% did not use multifactor authentication for remote access, which was a key factor in the Change Healthcare takedown and subsequent nationwide claims payment system outage.
Nearly half (44%) also lacked an incident response plan. Cyber maturity gaps are evident, with 55% of healthcare respondents reporting they do not have a post-breach team, and 60% do not use endpoint detection and response tools. Some organizations have taken measures like implementing backup data and infrastructure (80%), firewall protection (72%), and performing background checks on employees (72%), yet there remain technological measures that could better safeguard patient data.
The landscape of cyber threats is evolving, with AI-enabled threats being a high concern, second only to security breaches involving third parties. In December, the U.S. Health and Human Services’ 405(d) Program emphasized the importance of cyber insurance in helping organizations recover from incidents and maintain care delivery operations. John Menefee, cyber risk product manager at Travelers Bond and Specialty Insurance, noted that while attacks are increasing, cyber insurance opportunities are improving as carriers better understand the mechanics of healthcare cyberattacks, thereby enhancing their ability to preemptively protect organizations.
Incorporating creative solutions and bolstering workforce levels for cybersecurity are becoming essential strategies for healthcare leaders to protect their organizations and the public.
