CISOs Call for Healthcare Cybersecurity Federal Assistance

October 20, 2021 - Most chief information security officers (CISOs) reported needing additional federal assistance to combat healthcare cybersecurity threats, according to a survey fielded by the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS).

Both CHIME and AEHIS are professional organizations with members spanning the healthcare IT industry, from CISOs to chief innovation officers (CIOs), chief nursing information officers (CNIOs), and chief digital officers (CDOs).

Over 80 percent of respondents reported increased cyber insurance costs over the past year as healthcare cybersecurity incidents continue to multiply. One in six respondents saw a 100 percent cost increase, and more than 20 percent of respondents saw a 50 percent cost increase in the last year.

“There is no end in sight for the growth of cyber risk and [the] exploitation of critical infrastructure,” an anonymous respondent stated.

“We are overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable,” another remarked.

President Biden’s Administration has announced numerous cybersecurity initiatives since his executive order issued in May that pledged to improve the nation’s cybersecurity. However, some healthcare CISOs reported feeling that healthcare was left out of the federal agenda.

“The results continue to outline what those who have been active in the cybersecurity landscape have known for years, healthcare is under constant threat, more resources are needed for healthcare providers and significant education gaps remain,” the survey report suggested.

Over 65 percent of respondents indicated that their organizations had experienced a cybersecurity incident in the last 12 months. Phishing, malware, ransomware, hacking, and insider threats were identified as the most common security exploits.

The survey identified IoT/connected devices, an increased remote workforce, third-party consumer health apps, API security, and supply chain security as the top emerging healthcare security threats.

Approximately 40 percent of respondents reported needing help in terms of grants and federal assistance, and a third of respondents said they would appreciate having regional extension centers (RECs) with cyber experts on hand who could provide guidance and expertise.

Some respondents reported wanting closer relationships with federal authorities such as the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), and others were looking for guidance on when it is acceptable to share threat information.

Despite CISOs urgently needing assistance for their organizations, 45 percent of respondents were unaware of freely available 405(d) best practices provided by HHS. Just over half of respondents said they were members top industry groups such as the Information Sharing & Analysis Center (ISAC) and the Information Sharing and Analysis Organization (ISAO).

“With providers facing an exponentially increasing number of attacks and an increase in the cost of insurance to protect themselves, it is clear now, more than ever, that Congress and the Executive Branch must work to give providers the resources, education and funding they need to ensure that our healthcare system is protected against these pervasive and persistent attacks,” researchers concluded.

 “To achieve this, strong collaboration between the public and private sectors will be absolutely necessary.”