32% of Healthcare Organizations Have a Comprehensive Security Program

November 22, 2021 - Just 32 percent of surveyed acute and ambulatory care organizations had a comprehensive security program in 2021, according to the College of Healthcare Information Management Executives (CHIME) “Digital Health Most Wired” survey.

CHIME surveyed thousands of ambulatory, acute, and long-term/post-acute (LTPAC) facilities to assess how and to what extent healthcare organizations are implementing information technology. Only 26 percent of LTPAC organizations were considered to have a comprehensive security program.

In 2020, 34 percent of organizations met the standards for a comprehensive security program. However, CHIME updated some of its standards in 2021 to reflect industry advances, raising the bar for surveyed organizations. In 2019, only 24 percent of organizations met the standards for a comprehensive security program.

Under the new standard, organizations must report security deficiencies and progress quarterly rather than annually, and they must give the board a security update semi-annually rather than annually. In addition, organizations must have a dedicated chief information security officer (CISO) with presence in the executive suite rather than just a director of security.

Considering the updated standards, CHIME found that growth in individual core components remained relatively consistent from 2020 to 2021.

To be considered a comprehensive security program under CHIME’s standards, a program must include employee security training and education, a dedicated cybersecurity committee, and annual risk assessments to identify compliance gaps and security vulnerabilities.

In addition, the program must include annual cyber response tabletop exercises, regular reporting of security progress to the board, an annually updated inventory of all business associates, a documented risk management program, a designated security operations officer (SOC), and a designated CISO.

Rates of having a designated security operations officer grew by four percentage points, signifying the largest area of growth. Having a designated CISO remains the least adopted core component across all organization types. About 60 percent of acute and ambulatory care organizations had designated a CISO, along with 55 percent of LTPAC organizations. Acute care organizations that participated in the CHIME survey in past years were significantly more likely to have a CISO compared to new survey participants.

Results revealed that healthcare organizations were more likely to adopt technology-focused security measures compared to measures involving people and processes. Both comprehensive and non-comprehensive organizations adopted risk-based authentication for network access, medical device security tools, and next generation endpoint protection systems at higher rates than past years.

However, organizations continued to deprioritize implementing an incident recovery plan, Purple Team exercises, and social engineering risk assessments. Purple Team exercises are typically driven by cyber threat intelligence and involve emulating tactics, techniques, and procedures used by known threat actors to identify security gaps.

“Amid growing cybersecurity threats, the application of Purple Team Exercises (added to the Most Wired survey in 2021) has become increasingly critical— these are exercises where a blue team (defenders) and a red team (attackers) are brought together to simulate security threats,” the report emphasized.

“While annual Purple Team Exercises are the least-adopted measure across organization types, they can significantly improve an organization’s security posture.”

The survey also found that more organizations can send discrete data to third-party entities than consume it from them. Government agencies, insurance companies, and skilled nursing or chronic care facilities had the biggest gaps in their ability to send versus consume data.

“As these gaps narrow and more organizations exchange discrete data, patient care will be improved as a result of reduced duplications and enhanced longitudinal care records,” CHIME explained.

Despite the challenges that came along with COVID-19, 80 percent of acute and ambulatory care organizations and 82 percent of LTPAC facilities said that their ability to respond to emergent cybersecurity threats was not inhibited by the pandemic.