- Healthcare security professionals are mainly concerned with medical device security, patient safety, and data breaches, according to the 2017 HIMSS Cybersecurity survey.
More healthcare organizations are working toward their cybersecurity programs, such as ensuring there is a CISO in place and that risk assessments are regularly conducted, the report found.
HIMSS interviewed 126 IT leaders who said they had some responsibility for information security in a US-based healthcare provider organization.
Sixty percent of respondents said their organization employs a senior information security leader, such as a CISO. Furthermore, these types of entities are more likely to adopt “holistic cybersecurity practices,” such as education and training or adopting the NIST Cybersecurity Framework.
“Quality, stress-tested cybersecurity programs are imperative to protecting provider organizations and the patients they care for,” HIMSS Health Information Systems Senior Director Rod Piechowski said in a statement. “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”
The survey also found that 71 percent of respondents said their organization allocates a specific part of its budget toward cybersecurity, while 60 percent said 3 percent or more of the overall budget is used toward cybersecurity.
Eighty percent of those surveyed said that their organization employs cybersecurity staff, with 78 percent of respondents able to identify a cybersecurity staffing ratio.
Patient safety, data breaches, and the spread of malware were listed as top concerns regarding medical device security, the survey found. Specifically, 32 percent of respondents said patient safety was a top worry area with medical device security.
“Such senior information security leaders know that cyber-attacks on medical devices may lead to serious consequences, especially if the medical device is life-sustaining or life-saving,” report authors wrote. “A hacked insulin pump may deliver a fatal bolus of insulin to a patient. A ‘connected’ pacemaker may deliver a fatal shock to a patient.”
Medical devices are also susceptible to malware attacks, with 20 percent of respondents stating this as a top concern.
However, the majority of respondents – 85 percent – reported that their organizations conduct a risk assessment at least once a year. Additionally, 87 percent of those surveyed said they conduct security awareness training classes for their staff at least once a year.
“Security awareness and training are required under the HIPAA Security Rule,” report authors noted. “Mitigating this risk may include security awareness and training so that the workforce member knows how to detect a phishing e-mail, what to do with it, and how to report the incident to the IT department.”
Three-quarters of respondents also said that they regularly conduct penetration testing. This is a specialized assessment “conducted on information systems or individual system components to identify vulnerabilities that may be exploited by adversaries,” HIMSS report authors explained, citing NIST.
“Given the increase in volume, velocity, and numbers of cyber-attacks, many organizations recognize penetration testing as a best practice,” researchers noted. “Many conduct penetration testing exercises regularly. Penetration testing includes phases such as, but not limited to, information gathering, identifying vulnerabilities, and exploitation of the target.”
More healthcare organizations are adopting cybersecurity frameworks, the survey revealed. Eighty-six percent stated they are using at least one or more security framework. Sixty-two percent said they use the NIST CSF, 25 percent cited HITRUST, and 25 percent also said they use ISO.
However, when there is a CISO or other senior information security leader in place, 95 percent of respondents said they use the NIST Cybersecurity Framework with its core functions of identify, protect, detect, respond, and recover.
When a CISO or other senior information security is at an organization, 41 percent of respondents report to using HITRUST, while 36 percent said they use ISO.
“In summary, security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk,” report authors wrote. “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”
When there is not a CISO or similar staff member in place, 30 percent of respondents said their organization utilizes the NIST CSF.
Looking forward, cloud security, medical device security, and website security were listed as key focus areas by organizations with a CISO or senior information security officer in place. Respondents rated areas on a scale of 1 to 5, where 1 was “not a priority” and 5 was “essential.”
Respondents without a CISO or similar staff member in place gave a higher priority to risk assessment and management and incident response.
The 2016 HIMSS Cybersecurity Report found that ransomware, advanced persistent threats (APTs), and phishing attacks are the top most feared threats in healthcare cybersecurity.
Seventy percent of the 2016 respondents said they improved their network security, with 61 percent saying they improved their endpoint protection.