- Healthcare providers are continuing to prioritize cybersecurity concerns, according to a recent KLAS Research and College of Healthcare Information Management Executives (CHIME) study.
In efforts to ensure stronger data security measures, more healthcare providers are looking to overcome healthcare cybersecurity issues by ensuring that the board level and C-suite are prioritizing such concerns.
For the report, KLAS interviewed approximately 200 chief information security officers, chief information officers, chief technology officers and other security professionals. Larger multihospital organizations (IDNs) and hospitals were targeted, along with input from large physician practices.
Researchers found that 42 percent of organizations have a vice president or C-level official in charge of cybersecurity, while just under two-thirds – 62 percent – said that security is discussed quarterly at board meetings.
Ninety-six percent of respondents said that they have someone in charge of their organization’s security program.
Just 16 percent of surveyed organizations reported to having “fully functional” security programs, the report showed. However, 41 percent of respondents said that they’ve developed and are starting to implement a program. Forty-three percent admitted to either still be developing their security program or to not having developed one.
CHIME President and CEO Russell Branzell, FCHIME, CHCIO, explained that healthcare organizations take protecting patient data and their own data networks very seriously.
“As healthcare continues to march toward greater integration and information sharing across the continuum, we must become more vigilant in protecting data networks,” Branzell said in a statement. “Security has to be seen as an organizational priority. It is encouraging to see more C-level executives and boards taking greater responsibility for the issue.”
In terms of approaches to improving healthcare cybersecurity, over half of respondents – 55 percent – said that data encryption is the most common way to securing connected endpoints. Forty-two percent reported that antivirus/malware systems were the most common security approach.
One-fifth of healthcare organizations said data loss prevention (DLP) solutions provide the biggest security benefit. For the report, KLAS defined DLP solutions as tools “that prevent employees from sharing sensitive information, such as PHI, with unauthorized individuals, either inadvertently or on purpose.
Excluding clinics, the majority of organizations have at least one commercial solution in place for DLP, while about one-fifth utilize multiple commercial solutions to secure sensitive data.
For detecting phishing and ransomware attacks, 63 percent of those surveyed said that security information and event management (SIEM) is the most common approach.
Three-quarters of respondents said that they are following the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Furthermore, 31 percent of those surveyed said their organization utilizes the HITRUST security framework, while 19 percent reported they utilize SANS CIS controls.
The majority of organizations reported to being fairly prepared in breach readiness, with 79 percent saying they had a cyber liability and breach insurance in place. Seventy-two percent said they have created a breach policy and playbook, while 67 percent said they had created a breach incident team.
However, organizations are not prioritizing their IT budgets to security spending. The report found that 41 percent of respondents have dedicated less than 3 percent to security, while 27 percent said they have dedicated 3 to 4 percent to security. Only 18 percent of those surveyed have more than 7 percent of their IT budget focused on security.
The report also found that 84 percent of organizations are using training to ensure that employees fully understand and follow security policies. Security education courses were also cited by 30 percent of organizations to help employees understand and follow policies and procedures.
Sixty-four percent of respondents said their organizations do external risk assessments at least on an annual basis, while 15 percent said they conduct an external risk assessment every two to three years. Nine percent reported to doing so quarterly, with 3 percent conducting an external risk assessment biannually.