- Organizations need to enhance their HIT network security infrastructure as more advanced cyberattacks continue to threaten clinical data.
HIMSS released its latest cybersecurity survey, which highlights the importance of cybersecurity to health IT infrastructure. The report surveyed 126 qualified information security experts from US healthcare organizations.
“As it was last year, attackers continue to target the healthcare sector,” HIMSS Health Information Systems Senior Director Rod Piechowski said in a statement. “Quality, stress-tested cybersecurity programs are imperative to protecting provider organizations and the patients they care for.”
“This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement,” he continued. “Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”
The report made three major observations while surveying healthcare organizations on their cybersecurity practices. The first was that more entities are taking steps to enhance their cybersecurity by increasing their budgets and hiring dedicated staff.
The report found that 71 percent of organizations had a budget specifically for cybersecurity and 80 percent indicated that they employ dedicated cybersecurity staff. The report also indicted that 53 percent of respondents reported a cybersecurity staffing ratio of 1 to 500 or lower, which is ideal for maximized effectiveness.
Sixty percent of organizations also have a chief information security officer (CISO), indicating that cybersecurity is significant enough for the entity to have an executive role.
Insider threats were also highlighted as a significant danger to clinical data, with 75 percent of entities saying that they have an insider threat management program as part of their IT security infrastructure.
Insider threat management protects clinical data from unintentional insider threats and malicious insider threats. Seventy-five percent of respondents also reported they had experienced some type of insider threat over the past year.
Increased cybersecurity budgets and staffing can lead to proactive security measures to protect the network.
Eighty-five percent of organizations stated that they conduct a risk assessment once per year, while 75 percent conduct regular penetration testing to identify vulnerabilities before they are exploited by malicious cyberattacks.
Organizations are also conducting security awareness training classes to reduce the threat of unintentional insider threats.
The second major observation the HIMSS survey highlighted is that organizations with a CISO also tend to adopt holistic cybersecurity practices. Eighty-six percent use at least one security framework, with the most common being NIST, ISO or HITRUST.
“Security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk,” said the report. “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”
Organizations with a CISO, or the equivalent security staff member, are much more likely to conduct a cybersecurity assessment than the organizations without that position. Assessments are important because they allow organizations to see if a security solution is compatible with the rest of the IT infrastructure and will do the job it needs to do.
“Hardware, software, mobile devices, medical devices, and other components may have severe vulnerabilities and, thus, could expose the organization to significant risk (if such vulnerabilities were successfully exploited),” the report explained. “Moreover, default configurations or misconfigurations of a product or service may also potentially expose an organization to significant risks.”
The holistic cybersecurity approach with the leadership of a CISO also included business continuity with backup and disaster recovery, medical device security for patient safety, and penetration testing.
The third major observation was that information security professionals at acute care providers have more specific cybersecurity concerns.
A lack of transparency, a lack of confidentiality, and a lack of trust were the top three acute care provider concerns with cybersecurity specifically.
Interoperability with other organizations is also one of the top cybersecurity concerns because it is still new territory.
“Traditionally, many healthcare organizations have not participated in external information sharing with others in regard to cyber threat indicators, defensive measures, mitigation information, and other information (such as for situational awareness),” said the report.
“In addition, those that have participated in external information sharing with others may be very cautious about what they decide to share and with whom. Thus, information sharing may, at times, occur within a “closed circle” of trusted and vetted colleagues and within a forum where the rules of engagement are clear (and enforced, as appropriate).”
Cloud security and the ownership of data was also a top concern for acute care providers because it may be unclear if the cloud service provider or the organization technically owns the data at the end of a contract.
Healthcare organizations are generally more trusting of cloud, but the report indicated that acute care organizations are still more wary of cloud security than their non-acute care counterparts.
Third party security was also a concern for acute care providers because the third party may not adopt the same policies and practices as the provider organization. Lax security may allow an attacker to gain access to the provider’s IT infrastructure through the third party.
The third party also does not destroy the organization’s data at the end of the contract. Even if a contract states that the data will be destroyed, there may not be any assurance that it occurred.
Overall the report found that healthcare organizations are taking significant steps to improve their cybersecurity in the face of increased insider and outsider threats.