HIMSS Blog 02. Blog Image (1)

What the HIMSS 2022 Cybersecurity Survey Means for Your Organization

July 27, 2023
July 27, 2023

The Healthcare Information and Management Systems Society (HIMSS) is a non-profit organization dedicated to reforming the global health ecosystem through the power of information and technology – two things that are essential to healthcare, but also create vulnerabilities in the healthcare delivery system. HIMSS recently published the results of their 2022 HIMSS Healthcare Cybersecurity Survey. The survey results provided insight into current issues in healthcare cybersecurity.

Survey Background

In 2022, HIMSS surveyed 159 cybersecurity professionals working in healthcare. The majority (67%) of the respondents had primary responsibility for the cybersecurity programs at their organizations. The majority of them worked for healthcare provider organizations (60%) with the remaining respondents reporting that they worked for vendors, consulting firms or government entities. About 35% reported being in executive roles; while 41% reported being in non-executive management roles and 24% reported being in non-management roles. Some of the survey’s key findings are summarized below.

Survey Findings – There are Significant Recruitment, Retention and Training Issues

Workforce challenges in healthcare are the norm and those challenges extend to cybersecurity professionals. Most respondents (61%) agreed that the main barrier to achieving a robust cybersecurity program is a lack of cybersecurity staff. Challenges such as difficulties in recruiting qualified staff, insufficient budget, lack of qualified candidates and non-competitive compensation were cited as barriers to hiring. The majority (67%) also agreed that retention was a serious concern. 

While the nature of cybersecurity threats continues to evolve, training remains less frequent than what would be considered optimal. The majority (61%) cite a lack of time for training as a significant barrier to receiving training from an external cybersecurity training provider. Employers not subsidizing the costs of training (23%) or not subsidizing a sufficient amount of the training costs (20%) round out the list of the top three barriers.

Survey Findings – Challenges and Processes

While it may not be a fulsome solution, a larger budget and more staff is important in cybersecurity. When asked about changes to their budgets from 2021 to 2022, nearly 52% reported that their budgets had increased and 47% reported that their budgets would increase from 2022 to 2023.

When asked about the barriers to achieving better cybersecurity, the top two answers were a lack of cybersecurity staff (61%) and a lack of budget (50%). In addition, cybersecurity professionals cited the following as barriers to achieving better cybersecurity:


  • Lack of data inventory (45%)
  • Lack of data classification (38%)
  • Lack of specialized skills amongst cybersecurity staff (38%)
  • Lack of organizational cooperation (31%)
  • Lack of policies and procedures reflecting current practice (31%)
  • Lack of awareness about policies and procedures (30%)

While passwordless multi-factor identification is a growing and safer trend, it has not yet gotten traction in healthcare organizations. In 2016, just 39% of healthcare organizations were using multi-factor identification such as a password and an authenticator app or SMS code. The 2022 results showed that 80% were currently using multi-factor authentication with a password and authenticator app and 58% reported using passwords and SMS codes. (Multiple responses were allowed meaning that responses to this question would not add up to 100%.)

Respondents also reported a decrease in information sharing. In 2018, 69% of respondents reported sharing threat information with peers. In the 2022 study, just 53% of respondents reported sharing threat information with their healthcare cybersecurity peers. The decrease in information sharing could potentially result in a lack of awareness of new and emerging threats.

Survey Findings – Ransomware Issues

The good news is that a significant majority (78%) of respondents reported that their organizations had not experienced a ransomware attack within the past year. This appears to be part of a larger trend across all industry sectors of a decrease in ransomware attacks.

While there are still active ransomware strains impacting the healthcare sector, the report cited law enforcement’s successful actions against cybercriminals, regulations prohibiting payments to sanctioned groups, the economic downturn in cryptocurrency and a decrease in ransomware victims paying ransom as contributing to the decrease in attacks.

Survey Findings – Improving Cybersecurity in Healthcare

The report concluded with some recommendations about how to further protect healthcare organizations from cyberattacks.

The healthcare workforce is the first line of defense against cybercrime and the report recommended more frequent and practical cybersecurity training for staff and for cybersecurity professionals, providing broader awareness training for all staff to help them recognize the scope and breadth of these threats, and hiring and training more cybersecurity professionals.

On the technical side, the report recommended moving to passwordless, multifactor identification, more robust incident response teams, post-incident digital forensics, leveraging third-party vendor expertise, peer-to-peer information sharing about emerging threats, and insider threat detection.

Employees represent your organization’s first line of defense against cyber-attacks. HealthStream’s Security Awareness Solution can help protect your organization by equipping employees to recognize potential security threats.