CynergisTek’s Survey Data Reveals Leading Cybersecurity Concerns for Healthcare Organization Executives. Client-Conference Data Unveils That Risks Associated with Internet of Things, Medical Devices, Third-Party Vendors, and Program Management are Top of Mind for Security Executives, Yet Action is Lagging

1. CynergisTek has been recognized by KLAS in the
2016 and 2018 Cybersecurity report as a top
performing firm in healthcare cybersecurity.
CynergisTek won the 2017
Best in KLAS Award for Cyber
Security Advisory Services
CAPP Conference Survey
Cybersecurity & Privacy Threat Landscape

2. 60%
40%
How Involved Is Your Board with
Privacy & Cybersecurity Versus the
Past Few Years ?
More Involved Less Involved About the Same Don't Know
While it is heartening to see that Boards
are paying more attention, it is alarming
that 40% don’t even know if the Board is
more or less involved than they were
previously.
That means CIOs, CISOs, Privacy Officers,
etc., don’t know what their Boards are
hearing, saying, or talking about regarding
privacy and security.

3. Even though IT budgets and job openings are increasing across the industry, 54% of respondents report
that resources are their biggest barrier to meeting their organization’s privacy and security needs.
Finding the right skillsets at the right price is the issue – that’s what can’t be found in healthcare
security. This, at its root, is a cultural issue for CISOs and security staff: “They don’t give me the tools or
support I need, they pay me less than I could make somewhere else, the organization doesn’t value
security or me. And I’m carrying an awesome responsibility.”
13%
29%
54%
4%
Sr. Managamgent/Buy-In
Accountability
Resources (People, Money, Etc.)
Governance
What Is the Biggest Challenge to Meeting
Your Privacy and Security Needs?
29%
14%
50%
7%
Compensation
Training
Culture
Interesting Assignments
What Is the Most Important Factor for
Retaining Cybersecurity Staff?

4. Although 40% or respondents indicated that third-party vendors are their biggest risk,
only 60% of the same survey population, are doing both pre- and post- acquisition
evaluations of vendors. This is either a reflection that evaluations of vendors are
inadequate or there is a disconnect between what is being evaluated and the security
team. We believe it is both.
27%
7%
27%
40%
Insiders
Hacking
Social Engineering & Phishing
Third-Party Vendors
What Threat Concerns You the Most?
27%
60%
13%
How Often Do You Review Vendor
Security Evaluations?
Pre-Acq Only Post-Acq Only Both Never

5. 39%
4%
18%
39%
Old Habbits Die Hard
Executive Support
Lack of Resources
Accountablitiy
Biggest Barrier to Changing Culture Is…We’ve already discussed culture in terms of retaining
skilled security staff. Experts in the field agree that
creating a “culture of privacy and security” is critical and
that security and privacy must be both top-down and
bottom-up. This response indicates an equal weight on
the biggest barrier to changing culture between
“Accountability” and “Old Habits Die Hard.”
Accountability, though, is really about changing habits
and empowering people to act - that is culture. Executive
support requires a shift in the habit of downplaying
security at the executive level. That would bring “Old
Habits” to 82%, making it the biggest barrier by far. If
change isn’t in the air, it needs to be. The old ways don’t
protect you adequately.

6. 74%
26%
Medical Device Strategy
Effective Process
Strategy In Place, Not Sure if it's Effective
We Don't Have a Process in Place
Medical devices were one of the top
security concerns and was one of the top
five concerns of the Health Industry
Cybersecurity Practices [the primary
publication of the Cybersecurity Act of
2015, Section 405(d) Task Group prepared
under the auspices of the Dept. of Health
& Human Services].
Additionally no one reported to have an
effective medical device strategy in place
and 26% don’t even have a process in
place.

7. Never, 28%
Once, 20%
Mutliple Times
Per Year, 28%
Varies, 24%
How Often Do You Conduct
Incident Response Exercises?
How is that in an industry that regularly conducts drills
for airplane crashes, chemical spills, and weather events,
doesn’t include the event much more likely to occur at
the organization and without the warning of weather
forecast?
In 2018, a study found that 77% do not have a formal
cybersecurity incident response plan (CSIRP) applied
consistently across their organization. Nearly half
reported that their incident response plan is either
informal/ad hoc or completely non-existent.*
It’s time to change our habits. Despite the growing
number and type of security threats, only 28% are
conducting routine incident response exercises.
*
Ponemon Institute and sponsored by IBM Resilient, “The 2018 Cyber
Resilient Organization.” March, 2018,

8. 0
48%
41%
11%
Very Prepared
Moderately Prepared
Not Prepared
Unaware
How Prepared Is Your Organization for the New Privacy Rules & Regulations?
The increasing interest in protecting the privacy of individuals’ personal information promises
to impact healthcare systems and warrant robust privacy and security programs in the near
future. Multiple states have passed or have pending privacy legislation. There is growing talk
at the Federal level national privacy legislation. More than half of respondents aren’t sure of
or are not prepared for new privacy regulations. No one was “very” prepared.

9. 11%
67%
11%
11%
Sr. Management/Buy-In
Resources Required to Mature the Program
Effective Analytics
Cost/Budget
What Is the Biggest Barrier to Maturing Your User Access Monitoring
Program?
89% say they can’t get tools, money, or resources for user access monitoring, yet only 11%
indicate the issue is executive level buy-in. If executives were committed to access
monitoring, there would be money, tools, and people. This is a clear indicator that user access
monitoring is not being effectively communicated to senior leadership as a business issue that
has operational and patient care impacts. And it does.

10. AI
22%
5G
4%
Supply
Chain
22%
IoT
52%
Which Emerging Threat Worries
You the Most?
Beyond the all-too-common attacks on healthcare,
we are already seeing accelerated threat activity
from new quarters.
So, what can we expect on the cybersecurity front
looking ahead? These are some of the trends and
activities most likely to affect healthcare in 2019
and beyond.
• Attackers will exploit artificial intelligence (AI)
systems and use AI to aid assaults
• Among the most troubling will be attacks against IoT
devices that bridge the digital and physical worlds
(security, medical devices, sensors)
• Attackers will find new and more sophisticated
opportunities to infiltrate the supply chain of
organizations they are targeting

11. 11
Questions?
info@cynergistek.com
512.402-8550