Hospitals must weigh several factors, including staffing needs and overall risk appetite.
The healthcare industry continues to be a prime target for cybercriminals, who place a high value on patient data. Information about a person’s identity, medical conditions, treatments, and procedures enables threat actors to attempt all kinds of fraud, including fake medical bills and insurance claims.
The dark web, the global underground market for stolen data, is plagued by the sale of personally identifiable information (PII) and medical information. There are a multitude of compliance regulations that hospitals and healthcare systems must adhere to to protect data privacy.
This puts pressure on hospitals to get the right information security funding. But paying for information security is like buying insurance. You need it, but you don’t want to spend too much on it. The challenge for hospitals is knowing how much security spending is enough and where it should be invested. To get to the heart of these questions, HealthLeaders spoke to several experts about their security spending strategies.
Percentage of IT budgets typically spent on security
According to Philip Harris, information security analyst and research director at International Data Corp (IDC), companies typically spend between 5% and 15% of their IT budget on information security. A hospital’s exact position within this range is usually due to an organization’s level of cyber risk awareness. When it comes to data protection, it is more the devices, systems and business practices that present the greatest vulnerabilities.
“There’s no single formula for how much you should spend,” Harris says. “It’s about figuring out what your main risks are and what it will take to address those risks. There will be spikes in expenses, and there are also fixed costs. From there, you can inferring the running rate will look like in the long run.”
A significant spike in spending is caused by the hiring of new information security professionals in a hospital or healthcare system. This was the case at El Camino Health in Mountain View, Calif., says chief financial officer Carlos Bohorquez.
“Information security is a priority for our CIO, our compliance committee, the board of directors and the management team,” says Bohorquez. “Despite the financial challenges presented by the pandemic, we believe that having a comprehensive IT security platform is not an option, it is a requirement. We have made a significant investment in our IT security resources over the past 24 months. This includes creating a new chief information security officer (CISO) position, hiring a CISO, and adding dedicated resources to his team.”
What the best security professionals will cost
New hires can quickly add to an information security budget, says Peter Tsai, technology knowledge manager at Spiceworks Ziff Davis, a professional network for IT professionals based in Austin. IT jobs have enjoyed high salaries for several years, and security professionals are among the highest paid and most in demand.
As a result, hospitals can expect to pay high salaries for top information security professionals. The GlassDoor Salary Tracker lists the salaries shown below as national pay rates for several information security positions, as of May 2022. Exact salary figures for any individual would depend on location, industry experience, market competition and years of experience for the individual. .
- Chief Information Security Officer = $205,120
- Director of Information Security = $191,801
- IT Security Architect = $153,751
- Information Security Manager = $134,108
- Information Security Engineer = $107,446
- Information Security Analyst = $99,275
- Information Security Specialist = $97,273
- Security Consultant = $94,745
Another factor in what a hospital may have to pay to acquire or maintain these skills depends on its ability to find the right talent in the market, whether it needs to hire consultants to fill certain roles, or whether it outsources the ‘effort.
Perform a full security risk assessment
Finding and hiring the right qualified information security professionals is difficult. But a bigger challenge for hospitals may be figuring out where its security vulnerabilities lie. This includes every system, every device and every end user.
“Cybersecurity risk management is probably the most critical topic organizations need to address,” Harris says. “That means you need to assess the environment, you need to do a full controls and maturity assessment, and you need to determine what your current overall security state is.”
This assessment could assess any combination of things, between people, processes, tools and even philosophy, says Harris. “A thorough enterprise-wide risk assessment from a cybersecurity perspective is therefore essential.”
This attitude has been adopted at Emory Healthcare in Atlanta, says CFO Brad Haws.
“To strengthen security readiness, we had to strengthen our security reviews,” says Haws. “This obviously comes with recommendations for each institution to make regarding the balance between risk and reward.”
In other words, how big is the potential risk in the first place and what is the return on investment to protect it? But the challenge becomes more difficult as healthcare systems continue to add more patients, more data, and potentially more vulnerabilities.
“How do you stay on top? How do you stay up to date? Haws said. “I don’t know the right answer or the mix here in terms of how much coverage you need, or how much you should spend on it as a percentage of IT budget? I think those things are constantly changing.”
Prioritize risk appetite
Despite potential changes in security vulnerabilities, one thing remains constant: the need for a hospital to determine its risk appetite. Simply put, risk appetite refers to the extent to which an organization can accept risk with each element of its systems and data sources.
Some data must be protected at all costs, while others must be protected. Nevertheless, for some data, it would be good to protect them if possible. While some information may be exposed to greater risk if necessary, or not protected at all, what determines where a system, process, device, or data source falls into these categories depends on compliance requirements. health care and business loss impacts.
For this reason, a hospital or healthcare organization should assess what a security incident could do to disrupt essential operations, Haws says.
In the event of an incident, “Can you still operate your operating room? Can you still operate your clinical systems or maintain patient records? It becomes a major concern,” says Haws.
“The other thing, too, is that you have to tie this all into a business strategy,” Harris says. “Business leaders need to see why these investments matter and why they are real threats.”
