Report: Healthcare Cybersecurity Programs Face Workforce Shortage

The top barrier to achieving a robust cybersecurity program in healthcare settings is a lack of cybersecurity staff, according to the recently released 2022 HIMSS Cybersecurity Survey Report.

Analysis of the survey data suggests healthcare organizations have made significant progress in improving their healthcare cybersecurity programs, but challenges still include limited security budgets, insufficient staff and training and the growing volume of cyber-attacks and compromises.

This is the 14th annual cybersecurity survey by HIMSS. Results are based on the experiences of healthcare cybersecurity professionals who are responsible for day-to-day operations or oversight of healthcare cybersecurity programs.

Effective cybersecurity defense requires adequate staffing and budgets, but the survey found that typically, healthcare organizations are spending 6% or less of their overall information technology budget on cybersecurity.

Healthcare cybersecurity professionals are a precious commodity, and an insufficient budget is just one of several major challenges preventing healthcare organizations from hiring cybersecurity staff. A lack of qualified candidates, recruitment issues and not being able to offer competitive compensation were also noted as common barriers. However, informaticists, clinicians, and others in the field are frequently bridging the gap between cybersecurity and healthcare.

While healthcare organizations have been concerned about ransomware attacks since at least 2018, U.S. officials and cybersecurity analysts report a drop in ransomware attacks across industries as of 2022. Only 12.58% of healthcare stakeholders reported experiencing a ransomware attack in the past year, and an overwhelming majority (77.99%) stated their organizations did not experience a ransomware attack in the past year.

Ransomware operators will likely leverage social engineering and artificial intelligence to infiltrate targets that are perceived to be of high value, including healthcare organizations. Many healthcare cybersecurity leaders claim their organizations would not pay a ransom in the event of a ransomware attack (42.77%). But others do not know if their organizations would pay the ransom (55.35%). Only a few are certain that their organizations would pay the ransom (1.89%).

Read the full 2022 HIMSS Cybersecurity Survey Report to learn more.