Get Data Security Funding Right

Hospitals must weigh several factors, including staff needs and overall risk appetite.

The healthcare sector continues to be a favorite target for cybercriminals, who place great value on patient data. Information about a person's identity, medical conditions, treatments, and procedures enable threat actors to attempt all sorts of fraud, including fake medical billings and insurance claims.

The dark web, the global underground marketplace for stolen data, is rife with the sale of personally identifiable information (PII) and medical information. There are a host of compliance regulations that hospitals and healthcare systems must meet to protect data privacy.

This places pressure on hospitals to get their information security funding right. But paying for information security is like buying insurance. You need it, but you don't want to overspend on it. The challenge for hospitals is knowing how much security spending is enough and where it should be invested. To get to the heart of those questions, HealthLeaders spoke to several experts about their security spending strategies.

The percentage of IT budgets typically spent on security

Organizations typically spend anywhere from 5% to 15% of their IT budgets on information security, says Philip Harris, an information security analyst and research director with International Data Corp (IDC). Exactly where a hospital falls in that range is typically due to the cyber risk awareness level of an organization. When it comes to protecting data, it is more the devices, systems, and business practices that present the greatest vulnerabilities.

"There is no one formulaic answer for how much you should spend," Harris says. "It comes down to figuring out what your top risks are, and what is it going to take to remediate those risks. There will be spikes in spending, and there are also fixed costs. From there, you can derive what the ongoing run rate will look like in the long term."

One significant spending spike is caused by the hiring of new information security professionals at a hospital or healthcare system. That was the case at El Camino Health in Mountain View, California, says CFO Carlos Bohorquez.

"Information security is top-of-mind for our CIO, our compliance committee, the board, and the executive team,” Bohorquez says. "Despite the financial challenges presented by the pandemic, we believe that having a comprehensive IT security platform is not an option, it is a requirement. We have made a significant investment in our IT security resources over the last 24 months. This includes creating a new chief information security officer (CISO) position, recruiting a CISO, and adding dedicated resources to his team." 

What top security professionals will cost

New hires can quickly add to an information security budget, says Peter Tsai, head of technology insights at Spiceworks Ziff Davis, a professional network for IT pros based in Austin. IT jobs have enjoyed high pay for several years, and security professionals are among the highest-paid and most in-demand.

Accordingly, hospitals can expect to shell out large salaries for the top information security professionals. Salary tracker GlassDoor lists the salaries shown below as national pay rates for several top information security jobs, as of May 2022. Exact salary figures for any individual would depend on location, industry experience, competition in the market, and years of experience for the individual.

• Chief information security officer = $205,120
• Information security director = $191,801
• IT security architect = $153,751
• Information security manager = $134,108
• Information security engineer = $107,446
• Information security analyst = $99,275
• Information security specialist = $97,273
• Security consultant = $94,745

Another factor in what a hospital may have to pay to acquire or retain these skills depends on whether it can find the right talent in the marketplace, if it must bring in consultants to fill certain roles, or whether it outsources the effort.

Conduct a total security risk assessment

There are challenges to finding and hiring the right skilled information security professionals. But a bigger challenge for hospitals can be determining where its security vulnerabilities lie. This includes every system, every device, and every end user.

"Cybersecurity risk management is probably the most critical topic for organizations to address," Harris says. "What that means is, you've got to assess the environment, you've got to do a complete controls and maturity assessment, and you've got to figure out what your overall current security state is."

That assessment could evaluate any combination of things, between people, processes, tools, and even philosophy, Harris explains. "So, conducting a thorough enterprise-wide risk assessment from a cybersecurity perspective is critical."

That attitude has been adopted at Emory Healthcare in Atlanta, says CFO Brad Haws.

"To beef up security readiness, we've had to beef up our security reviews," Haws says. "That obviously comes with recommendations that each institution has to make about the risk and reward balance.”

In other words, how great a potential risk is there in the first place, and what is the return on investment to protect it? But the challenge gets harder because health systems keep adding more patients, more data, and potentially more vulnerabilities.

"How do you stay on top of that? How do you keep current?" Haws says. "I don't know the right answer or mix here in terms of how much coverage you need, or how much you should spend on it as a percentage of IT budget? I think those things are constantly evolving."

Prioritize risk appetite

Despite potential changes in security vulnerabilities, one thing remains constant—the need for a hospital to determine its risk appetite. In simple terms, risk appetite refers to the degree to which an organization can accept risk with each element of its systems and data sources.

Some data must be protected at all costs, while other data should be protected. Still, for some data, it would be nice to protect it if possible. While some information can be left at greater risk if necessary, or not protected at all, what determines where a system, process, device, or data source falls in these categories depends on healthcare compliance requirements and business loss impacts.

Because of that, a hospital or healthcare organization needs to evaluate what a security incident could do to disrupt essential operations, Haws says.

In the event of an incident, "Can you still run your OR? Can you still run your clinical systems, or keep patient records? Those become primary concerns," Haws says.

"The other thing, too, is that you've got to tie all this back to a business strategy," Harris says. "The business leaders need to see why these investments are important, and why these are real threats."