CHIME/AEHIS Member Survey Limns Security Concerns of IT Leaders

Oct. 29, 2016
A new survey of CIOs and CIOs sponsored by CHIME and AEHIS finds broad concerns around phishing attacks, data theft, and other major IT threats facing patient care organizations

A new survey of healthcare chief information and chief information security officers has found that CIOs and CISOs consider social engineering and data theft to be the most common cybersecurity threats facing their organizations. Social engineering, which includes such tactics as phishing, spear phishing and baiting, deceive employees into inadvertently creating a vulnerability on their organization’s network. The survey of nearly 200 members of the Ann Arbor, Mich.-based College of Healthcare Information Management (CHIME) and Association for Executives in Healthcare Information Security (AEHIS), listed malware and ransomware as the top ways that cyber criminals are exploiting weaknesses. CHIME and AEHIS presented the survey findings Oct. 26 to the Department of Health and Human Services (HHS) Cybersecurity Task Force. Mandated by the Cybersecurity Information Sharing Act of 2015, the taskforce has been charged with analyzing the unique challenges and barriers to cybersecurity in healthcare. It is also studying how other industries are protecting data.

CHIME and AEHIS leaders publicly released the results of the survey on Oct. 27 in a press release. The results were based on responses from 189 healthcare IT executives. Among the highlights of the survey’s findings:

>  Asked what the most common threats were to their organizations, on a scale of 1 to 5, respondents cited “organized crime” as the most common threat (average: 3.77), followed by “cyberterrorism” (3.55), “data theft” (3.19), “IoT” (3.12), and “social engineering” (2.31).

>  In order of perceived threat, the following threats were seen as posing the greatest concern to respondents, on a scale of 1 to 5, 5 being the highest level: denial of service (average: 2.63), botnets (2.38), insider threat (2.33), back doors (2.28), hacking (1.99), malware (1.65), ransomware (1.49). Ransomware was seen as the biggest threat among organizations with fewer than 100 beds (2.18), while denial of service attacks were seen as the biggest threat among organizations with 400 or more beds.

>  Asked what their biggest vulnerabilities were from among a list of five choices, and again on a scale of 1 to 5, respondents rated “buffer overflows” the biggest vulnerability (average: 2.82), followed by “injection vulnerabilities” (2.47), “poor authentication and session management (2.23), “security misconfiguration” (2.09), and “data exposure” (1.77).

>  Asked, “In your opinion, why does the business strategy not drive the security strategy?” and given seven possible reasons as choices, respondents ranked those reasons in the following order: “budgets or staffing” (5.1), “pace of change for the business (too many other initiatives)” (5.05), “Security is not considered a patient care or quality of care issue” (4.08), “Changing delivery of care models and workflows don’t address security until after the fact” (3.95), “Threat landscape changes too quickly” (3.72), “Regulatory landscape is too complex” (3.4), and “BYOD/BYOA” (2.72).

In a statement contained in the organizations’ press release, Marc Probst, chair of the CHIME board of trustees and CIO at Intermountain Healthcare, said, “The survey data is representative of what we are hearing from our colleagues across the industry. Cyber criminals are attacking us from nearly every angle. We have to be extremely vigilant in educating our staff and our business partners on how to minimize the risk of an attack. We are only as safe as the weakest link along our networks,” he added.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?