Most healthcare providers do not use any software for information security governance or risk management to protect against cyberattacks, according to a recent survey, which also found providers fear their own employees the most.

Ninety-five percent of healthcare organizations use no software for those functions, and 68% do not have a separate cybersecurity function, according to the Netwrix 2017 IT Risks Report, published by Netwrix Corporation, a data security company in Irvine, CA.

The results are based on feedback provided by IT specialists working for healthcare organizations around the globe. (The report is available online at:

The survey also found that 56% of responding healthcare organizations perceive employees to be the biggest threat to system availability and security, 59% have had to deal with malware, and 47% have had security incidents caused by human error. Only 31% of healthcare organizations claim to be well prepared to beat IT risks.

Most healthcare organizations indicated lack of budget (75%), time (75%), and appropriate participation of senior management (44%) as the main obstacles to more efficient cybersecurity.

Healthcare providers may be starting to take the threat of cyberattacks more seriously, says Michael Fimin, CEO and co-founder of Netwrix. He notes that 56% of responding healthcare organizations say they plan to invest in security solutions to protect against data breach.

“While healthcare organizations continue to struggle with compliance and system availability, the security of electronic health records remains their biggest concern by far. Despite the surge in malware attacks and the high price that healthcare records command on the black market, the healthcare industry still sees employees as the main threat to the security of their assets,” he said in a statement. “Even though most employees do not have malicious intent, organizations need to gain visibility into user activity across the IT infrastructure. Having a clear understanding of what is going on in the environment will help them mitigate the risk of human errors, detect and investigate incidents faster, and, as a result, improve the security of their sensitive patient data.”