Healthcare providers and companies remain highly targeted by cybercriminals and have boosted their cybersecurity efforts in the last few years. But many still aren’t using best practices for third-party software management and multi-factor authentication, according to Moody’s, and may be decreasing investments in the coming year.
Six things to know:
1. Some hospitals are devoting less of their IT budget to cybersecurity today than in 2023; 8% said they invest 10% or more of their IT budget on cybersecurity in the last three years, down from 10% in 2023. Among for-profit hospitals, the percentage spending at least 10% of their IT budgets on cybersecurity dropped from about 22% in 2023 to around 18% in 2024.
2. Nonprofit hospitals face thinning margins and labor shortages, making it difficult to maintain the same level of cybersecurity investment, said Moody’s. “In addition, higher inflation, supply chain disruptions have also increased costs while higher interest rates have raised the cost of debt and made financing equipment or investing in capital more expensive,” according to the report.
3. Many hospitals expect their cybersecurity staff to remain the same or increase in the next year. Fifty-four percent of nonprofit hospitals and 53% of for-profit hospitals said they plan to increase the number of cybersecurity employees next year while 44% of nonprofits and 29% of for-profits said their cybersecurity staff will remain about the same.
4. Eighty-five percent of nonprofit hospitals and 81% of for-profit hospitals have a third party vendor cyber risk program and nearly all evaluate cyber risk from third-party software providers. However, there is work to be done in this space. Just 44% of nonprofit hospitals said they review vendor cybersecurity risk practices annually and 38% said they review third party software cybersecurity risk programs every year. By contrast, 93% of for-profit hospitals had annual reviews.
5. Nearly all had cyber insurance and planned to keep it about the same in the next year. One-quarter of for-profit hospitals and 24% of nonprofits said they would increase their cyne insurance spend this year.
6. Hospitals have not universally adopted multi-factor authentication for identity management and to combat social engineering. Sixty-three percent of for profit hospitals and 83% of nonprofits said they maintain insider threat programs. Seventy-nine percent of for-profits and 82% of nonprofits said they use multi-factor authentication.
