A new healthcare cybersecurity report from HIMSS finds that healthcare organizations are taking steps to enhance their cybersecurity programs to a greater degree, and the findings also indicate that organizations that employ a CISO or other senior information security leader have adopted holistic cybersecurity practices.
The 2017 HIMSS Cybersecurity Survey provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises affecting the healthcare sector. The 2017 report focuses on the responses from 126 IT leaders who report having some responsibility for information security in a U.S.-based healthcare provider organization, such as a hospital or long-term care facility.
The majority of organizations measured (71 percent) allocate specific budget toward cybersecurity. Additionally, 80 percent of IT leaders measured indicated their organization employs dedicated cybersecurity staff.
“As it was last year, attackers continue to target the healthcare sector,” Rod Piechowski, senior director, health information systems, HIMSS, said in a statement. “Quality, stress-tested cybersecurity programs are imperative to protecting provider organizations and the patients they care for. This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”
Of those respondents who were able to identify the percent of their organization’s budget allocated for cybersecurity, 60 percent claim cybersecurity commanded 3 percent or more of the budget. The highest percentage of respondents (40 percent) reported only allocating 1 to 2 percent to cybersecurity, while 32 percent said 3 to 6 percent of the budget. Seventeen percent allocate 7 to 10 percent and 11 percent of respondents allocate more than 10 percent of their budget to cybersecurity.
However, 8 percent of respondents indicated that no funds have been allocated for cybersecurity.
The vast majority of organizations (80 percent) employ cybersecurity staff. Of those who could identify a cybersecurity staffing to IT users ratio, 53 percent reported a ratio of 1:500 or lower. The 1:500 ratio is significant because some researchers have found that a staff ratio of 1:500 is ideal for organizations that are information centric, have a considerable Internet exposure and a low risk appetite.
Over half of respondents (60 percent) indicate their organizations employ a senior information security leader, such as a Chief Information Security Officer (CISOs). Essentially, these respondents’ organizations have made the decision to dedicate an executive role in information security through this senior leader position, arguably making information security a business priority.
Three-quarters of respondents (75 percent) indicate that they have some type of insider threat management program at their organizations. While it is encouraging that so many respondents indicated that they have an insider threat management program, the report authors note that a formal insider threat management program may be more effective than an informal one.
The vast majority of respondents (85 percent) state that they conduct a risk assessment at least once a year, and 51 percent only do it once a year. One of the requirements of the HIPAA Security Rule is to conduct a security risk analysis. In addition, the meaningful use program has been a major driver in ensuring that healthcare providers do so. Healthcare providers have had to attest, under the meaningful use program, for each electronic health record (EHR) reporting period that a security risk analysis has been conducted. While it’s encouraging that most healthcare providers are doing a security risk analysis a least once a year.
And, the majority of respondents (87 percent) report that they conduct security awareness training classes for their staff at least once a year. Seventy-five percent of respondents indicate that their organizations regularly conduct penetration testing.
The survey also examined the cybersecurity practices of those organizations that employ an information security leader. An analysis of the responses from respondents with a CISO or other senior information security leader revealed that their organizations have adopted holistic cybersecurity practices in a number of critical areas, including procurement, education/training and adoption of the NIST Cybersecurity Framework. “Intuitively, this makes sense, as the role of a senior information security leader is to help drive organizational change and establish priorities for an organization’s information security program,” the survey authors wrote.
Eight-six percent of organizations use at least one or more security frameworks, with 62 percent using the NIST Cybersecurity Framework. With a CISO or other senior information security leader, 95 percent of organizations use the NIST Cybersecurity Framework with its core functions of identify, protect, detect, respond, and recover. What’s more, 41 percent of organizations with a security leader using the HITRUST common security framework (CSF).
With a CISO or other senior information security leader at the helm, the vast majority of these respondents (88 percent) conduct cybersecurity due diligence on technology products and services, prior to acquisition. By comparison, 57 percent of organizations without a security leader said they conduct cybersecurity due diligence on technology products and services, prior to acquisition.
The report authors note that “an ounce of prevention is worth a pound of cure.” “It may be worthwhile to carefully select and vet technology products and services from technical, business, and legal due diligence perspectives to ensure that the product or service that is ultimately selected by an organization is the right one, given its risk appetite, goals, vision, and mission—including in light of potential cybersecurity risks and concerns,” the report authors wrote.
The survey findings also indicate that information security professionals at acute care providers have more specific concerns about cybersecurity, compared to their non-acute care provider counterparts.
The top concerns of information security professionals at acute care providers regarding information sharing are lack of transparency (47 percent), lack of confidentiality (39 percent), lack of trust (39 percent), and lack of vetted participants (37 percent).
Information security professionals at acute care providers have concerns about cloud security, especially in terms of ownership of data (53 percent), lack of cybersecurity (53 percent), insider threat (41 percent), lack of transparency (42 percent), and lack of geographical restrictions (44 percent).
With regard to security of medical devices, respondents at acute care providers (35 percent) were most concerned about patient safety, such as patient harm or serious injury, which may result from a security compromise of a medical device, followed by concerns about a data breach (27 percent) and spread of malware to other devices on the same network (25 percent).
The report authors concluded that the survey findings serve as an indication that information security professionals at both acute care and non-acute care providers are taking steps to significantly improve their cybersecurity posture, including regularly conducting penetration testing, performing risk assessments, and, at times, taking a more cautious approach to cybersecurity (especially in the case of acute care providers).
“In addition, healthcare organizations with a Chief Information Security Officer or other senior information security leader, have adopted holistic cybersecurity practices and perspectives in critical areas. While the healthcare sector may not have had decades to establish and improve its cybersecurity posture, like the chemical, manufacturing, and other sectors, significant strides have been made in the ‘growth’ of information security programs within the healthcare sector. This growth was catalyzed, in part, by significant cyber-attacks targeting the healthcare sector and other sectors and industries. The other part is due to heightened situational awareness, know-how, and acumen in regard to cybersecurity and its best practices,” the report authors wrote.
