Cybersecurity has been elevated to a central concern for healthcare providers, with more attention at the board level and the C-suite, according to a new survey by Orem, Utah-based KLAS Research and the College of Healthcare Information Management Executives (CHIME). The study found that 42 percent of organizations have a vice president or C-level official in charge of cybersecurity and for 39 percent of organizations, the head of cybersecurity is at the director level.
The survey finding also indicate that cybersecurity issues are increasingly making it to the board level as 62 percent of respondents report that security is discussed quarterly at board meetings.
The 271-page report, titled “Cybersecurity 2017: Understanding the Healthcare Security Landscape,” studies profiled provider adoption of and experiences regarding specific cybersecurity solutions, including data loss prevention (DLP), identity and access management (IAM), mobile device management (MDM), and security information and event management (SIEM).
In partnership with CHIME, KLAS conducted nearly 200 interviews of chief information security officers, CIOs, chief technology officers and other security professionals. To cover the largest number of impacted providers and patients, the research targeted mainly larger multihospital organizations (IDNs) and hospitals, with some additional input from large physician practices (75+ physicians), according to KLAS.
The study found that 16 percent of providers—mostly large hospitals or integrated delivery networks—reported having “fully functional” security programs. Another 41 percent reported that they’ve developed and are starting to implement a program. However, close to half of respondents (43 percent) reported that their organization’s security program was either “developing” or “not developed.” Smaller hospitals and physician practices lagged behind in their program development.
Eighteen percent of survey respondents reported that 7 percent or greater of their total IT budget was dedicated to security while 14 percent of respondents said spending on security made up about 5 to 6 percent of their IT budget. The largest segment, 41 percent of respondents, reported dedicating 3 percent or less of their IT budget to security, while 27 percent placed their security spending at between 3 to 4 percent of their total IT budget.
Additionally, when asked to gauge their breach readiness level, close to 80 percent of respondents reported their organization had a cyber liability and breach insurance in place and 72 percent reported they had a breach policy and playbook created while 67 percent reported they had a breach incident team created. Six percent said they didn’t know their breach readiness level.
Other key findings of the study included:
- 55 percent of respondents reported that encryption is the most common way of securing connected endpoints on their networks, followed by antivirus/malware systems at 42 percent and mobile device management (MDM) at 33 percent
- 63 percent of respondents reported that security information and event management (SIEM) is the most common method for detecting phishing and ransomware attacks followed by Intrusion Detection (26 percent) and end-user reporting (15 percent)
- 39 percent of respondents reported that an incident-response plan/policy is the most common method for responding to attacks, followed by incident-response teams (34 percent) and then services firm/insurance (20 percent)
- 75 percent of respondents reported that they are following the National Institute of Standards and Technology Cybersecurity Framework; 31 percent are following HITRUST
- 84 percent of organizations are using training to ensure employees understand and follow security policies
- 76 percent of organizations do external risk assessments on at least an annual basis
“Healthcare organizations take their responsibility for protecting patient information and their data networks very seriously,” CHIME president and CEO Russell Branzell said in a statement. “As healthcare continues to march toward greater integration and information sharing across the continuum, we must become more vigilant in protecting data networks. Security has to be seen as an organizational priority. It is encouraging to see more C-level executives and boards taking greater responsibility for the issue.”
“Providers are embracing cybersecurity and report that vendor solutions are becoming more robust and responsive to provider’s needs,” Garrett Hall, director of cybersecurity for KLAS, said in a prepared statement. “However, cybersecurity remains a significant challenge for many providers, and the healthcare industry as a whole.”
