- Healthcare organizations are slowly working to increase their healthcare cybersecurity governance, staffing, and budgetary resources, but there is still room for improvement, according to a recent study.
The second annual HIMSS Analytics HIT Security and Risk Management Study found that the percentage of respondents who spend 7 percent to 10 percent of their IT budget on cybersecurity increased from 10 percent to 24 percent from 2015 to 2016.
The survey targeted healthcare executives, the C-Suite, business and IT leaders, and clinical leadership.
Furthermore, the distribution of employees allocated to IT security increased in 2016. In 2015, eight percent of organizations had 11 to 20 employees dedicated to IT security, while 11 percent of companies had that many IT security employees in 2016.
However, IT budgets and staffing issues are still seen as the biggest barriers to having stronger healthcare cybersecurity programs, noted Symantec Health IT Officer David Finn, CISA, CISM, CRISC.
“The good news is we’ve seen more adoption of cybersecurity frameworks,” Finn told HealthITSecurity.com. “There’s an uptick in NIST and HITRUST as well as [Information Technology Infrastructure Library], which took a little bigger jump.”
Specifically, 61 percent of respondents said they are using the NIST Cybersecurity Framework, while 36 percent said they utilize HITRUST. Approximately one-third – 36 percent – also reported that they use ITIL.
“The importance of a cybersecurity framework, particularly if it’s a risk-based framework, is you begin to measure your progress in terms of risk to the organization,” Finn explained. “Whether it’s going up, or whether it’s going down, you have a metric for looking at it.”
Finn added that there is still disconnect between the “business” and IT sides of healthcare. On average, clinical and business respondents report much higher confidence in their organization's cyber attack preparedness than their IT and security counterparts.
Additionally, business leaders more commonly view cybersecurity as a business risk issue, whereas clinical and IT leaders view it as a HIPAA compliance issue.
Historically in healthcare, security has been viewed as a HIPAA compliance issue,” he said. “The intent was really to check the boxes around the Security Rule and around the Privacy Rule. This year when we asked people what the drivers were around IT security, for the business users, risk assessment became the number one driver for doing security.”
Not only was that a significant change, but it shows the gap between the clinical workers and the IT/security workers, Finn stated.
“It means that the ransomware attacks we had last year, the shut down and slow down of clinical operations, and the impacts to patient care, people are now starting to wake up to the fact that security is really a business risk and not just an IT risk and responsibility,” he stressed.
The survey found that 91.7 percent of business respondents said that risk assessments were the key driver decisions on where to invest in IT security. Approximately 71 percent of clinical respondents cited risk assessments as the main driver, while 66 percent of IT respondents said the same.
The majority of clinical respondents – 81 percent – reported that HIPAA compliance was the main driver for deciding where to invest in IT security. Conversely, three-quarters of business respondents cited HIPAA compliance, while 76 percent of IT respondents did so.
The next evolution of the healthcare CISO
Finn noted that another key takeaway from the survey was that two-thirds of participating organizations have CISO roles, which most often report to the CIO.
“We’ve started to staff up security, but the problem is we still tend to think of security as a technical/IT issue,” he pointed out. “A lot of security people today, they may be great with firewalls, they understand antivirus, but this is a bigger issue.”
For example, more business leaders are realizing that cybersecurity can be a business risk. If an organization is hit with ransomware, and an EMR is affected, that entity may not be able to operate as a healthcare provider, Finn explained.
“My concern here is that our tech people still don’t talk healthcare,” he said. “They may be great at technology, but we’re going to see another evolution in the CISO role from someone who’s focused on security, to someone who’s really more focused on the business risk.”
That way, the CISO can go talk about business risk with a CFO who is going to understand the financial impact if an organization can’t see patients for half a day because of an outage from ransomware.
“The next evolution will be adopting this as a business risk model and getting security people who understand not only the technical security but the business needs and requirements.”
Additionally, the old approach in security where there were separate tools will no longer be good enough to keep information secure, Finn maintained.
“What we need to do as an industry is start connecting all these dots,” he said. “Anti-virus needs to talk with your authentication systems, and your identification systems need to talk with your encryption systems. All of your computers need to recognize bad files, not just ones that are on the network, but something connected to the internet.”
Finn called it “population health for data,” and explained that the more than healthcare organizations know about their data, the better care they can provide for that data.
“We need a comprehensive view of our risk and our security posture.”