Change, Opportunities, and Threats: Healthcare Innovation's State of the Industry Survey

January 18, 2023 CynergisTek, Inc.

Change is happening in patient care organizations across the U.S healthcare system—not revolutionary or rapid change, but gradual change that is over time shifting the shape of how patient care organizations work. In our annual State of the Industry Survey, we asked survey participants to respond to a wide range of questions around infrastructure, analytics, health information exchange (HIE), analytics, value-based contracting, cybersecurity, and several other topics. In this article, we share some of the highlight results from our annual survey, with analysis of those results by industry leaders and observers.

Cybersecurity concerns continue to intensify

Even as the leaders of patient care organizations across the U.S. healthcare system are moving forward along so many dimensions, in terms of participating in value-based contracting, advancing their population health management and care management work, and sharpening their use of analytics tools—including AI tools—to support their work to improve care management, they continue to be dogged by cybersecurity threats.

Indeed, a core set of survey results was around the cybersecurity challenges that patient care organizations are facing these days. Asked whether their recent experience of cybersecurity threats and attacks has been more or less challenging, 47.73 percent told us that their experience has been more challenging than a year ago, while 27.27 percent said it’s about the same, and only 4.55 percent reported that it’s less challenging (and 20.45 percent weren’t sure). Looking at that set of results, “What was really interesting about the answers to this survey is not so much what [survey respondents] said, but what they also didn't say, and sometimes, the negatives can be just as powerful as the positives,” says Mac McMillan, founder and advisor of the Austin, Tex.-based CynergisTek, a Clearwater Company. “In this particular case, 50 percent said it was more it was more challenging, while the other 50 percent said it was about the same or they weren't sure, which is kind of scary. But you realized that hardly anyone said it was less. So absolutely, nobody thinks that the environment that they're in today is less challenging than the one they were in a year ago. And it’s important that 100 percent think that the environment is still challenging, or more challenging than it used to be. And that's, that's no surprise at all. It because it absolutely is.” But here’s the catch: that level of threat “still hasn't changed their behavior or their or their sense of priority with respect to cybersecurity. And that's the part that's really troubling in this thing, is that you've got more than half the people who absolutely say it's more challenging, and the rest say is just as challenging. And yet, they're still spending pretty much what they've been spending. And those two things just don't align.”

One interesting set of results was this one: asked whether their organization had experienced  a malware attack, ransomware attack, or other form of cyber breach that has led to a significant disruption of EHR (electronic health record) and clinical information systems usage, 18 percent said yes, but nearly 66 percent said they had not, while 16 percent weren’t sure. Dave Bailey, vice president of security services at CynergisTek, a Clearwater Company, says that “There two ways of looking at that. To begin with, we have to at least assume that those organizations are experiencing downtime. So they're experiencing issues, but for some reason, those downtimes and issues are not being attributed to attacks. Why is that?” he asks. “Maybe those organizations aren’t developing reports” on the breaches. “Maybe they don’t know they’ve been extorted”—yet.

As for the cybersecurity threats, which experts across the industry agree are intensifying, Bailey says that “In my experience, what we're seeing is a very sophisticated adversary that recognizes that they can take advantage of an industry, and they take advantage of it because they're successful at it. And if you look at if you look at the top malware families that are out there, like what are the threat actors using in order to attack organizations, they’re really all geared in some fashion towards stealing your credentials, towards gaining a foothold in order to access your date, and ultimately, be able to extort you for that data.” Further, Bailey says, there are now organizations all across the world that are increasingly targeting the U.S. healthcare industry, because it is so vulnerable to attack; and that set of threats will only continue to intensify.

With regard to responding to the threat landscape, we asked participants whether their organizations have yet implemented significant network segmentation, including around their EHRs, medical devices, and other critical infrastructure. In response, 43.18 percent said that they had; 18.18 percent had not yet, but were planning to do so; 11.36 percent had no plans to do so; and 27.27 percent weren’t sure what their organizations were doing.

Per that, McMillan says that these results are significantly better than they've been in the past. There was a time not too long ago that the number of people who were actually doing real segmentation was less than 10 percent. So to see 50 percent say that they've either done it, or they're planning to do it, is a huge difference from where these numbers once were, and that's a good thing. And the reason that's so important is really simple: if you go without segmentation, the incoming threat has the ability to move through the organization very rapidly; when a threat attacks, it finds a way to get in, finds a foothold, and does its reconnaissance, moving laterally through the network to exploit the entire network.” Strong segmentation will allow for a far quicker identification of an intrusion in order that it can be addressed, he stresses.

Cybersecurity experts industry-wide agree that it will be important to hire more chief information security officers (CISOs) into hospitals and health systems, as well as to give those individuals budgets and staff. Per that, 36.36 percent of respondents—pretty much identical to a year ago—said that they’ve hired a CISO, while a further 18.18 percent plan to hire one; while fully 45.45 percent have no plans to hire a CISO.

Meanwhile, per budgets and budgeting, fully 50 percent of respondents told us that their organization’s IT budget has increased over the past two years, while 20.45 percent reported that it has stayed the same, and only 11.36 percent said it had decreased. Also, with regard to the COVID-19 pandemic, 38.64 percent reported that the pandemic has caused their budget to increase, while 29.55 percent said it has stayed the same across the past two years, and only 15.91 percent said it has decreased as a result of the pandemic.

Read the full article here

About the Author

CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity consulting firm dedicated to serving the information assurance needs of healthcare. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.

Follow on Twitter Follow on Linkedin Visit Website More Content by CynergisTek, Inc.
Previous Article
Health Entities Should Vet Risks of ChatGPT Use
Health Entities Should Vet Risks of ChatGPT Use

Jon Moore considers how healthcare entities should address patient data risks when clinicians use ChatGPT o...

Next Article
Analysis: Third-Party Health Data Breaches Dominated in 2022
Analysis: Third-Party Health Data Breaches Dominated in 2022

Hacking and business associate incidents dominated in 2022, foreshadowing the top risks and threats that wi...