TheU.S. healthcaresectoris inadequatelypreparedtodealwith the reality of cyber threats. The increasing use of smart medical equipment and mobile devices is making healthcare organizations more susceptible to ransomware and other types of malware. The size and complexity of operations, coupled with the presence of numerous legacy and incompatible systems, make it difficult to implement effective cybersecurity measures. The daunting nature of the problem often results in an if-itain’t-broke-don’t-fix-it stanceamong senior healthcare leaders. The preponderance of healthcare-related laws, compliance regulations, and security guidance frameworks serve to complicate the cybersecurity challenge further and too often results in senior leadership assuming a state of blissful ignorance. This study sheds light on the key factors contributing to the chaotic state of affairs and presents a roadmap to a more deliberate and proactive approach to cybersecurity risk management.

Is muddling through an acceptable approach to cyber risk management?

Muddling through is a dangerous approach to cybersecurity risk management. Yet, many organizations fall into this chaotic trap for reasons ranging from a lack of top management priority and commitment to organizational size and complexity, presence of numerous and incompatible legacy systems, inadequate budget, and more (Cram, Proudfoot, & D’Arcy, 2017; Kaminski, Rezek, Richter, & Sorel, 2017; Sweeney, 2016). There is enough evidence to suggest that U.S. healthcare organizations lack a deliberate, organized, and comprehensive cyber-resilience strategy. To quote a recent survey report: “One-third of hospital executives have purchased cybersecurity solutions blindly without much vision or discernment” (Leventhal, 2018). Investments in establishing cyber resilience severely lag behind other regulated industries. Not only are cybersecurity budgets low and being cut but also many firms have neither a formal security program nor a dedicated leader assigned to security (Donovan, 2018a; Leventhal, 2018; Lord, 2018). Size and complexity of operations are some of the other factors contributing to an ineffective approach to cybersecurity risk management. The following quote reflects this unfortunate state of affairs: Healthcare rivals the public sector in our mission and complexity. Both industries tend to be too trusting that everyone (internal employees and information exchange partners) is doing their due diligence regarding cybersecurity. But the sectors are just too large to know for sure. We don’t truly understand our own risks until it’s made plain to us by the hackers. –—Senior Executive Services (SES) in public health and cyber operations