- Only 29 percent of healthcare organizations report having a comprehensive cybersecurity program in place, according to the 2018 CHIME HealthCare’s Most Wired survey released this week.
Among those organizations that don’t have a comprehensive program, 31 percent are either not meeting with their executive committee or are meeting less than once a year to provide security updates. For the survey, 618 healthcare organizations were polled.
The CHIME report described six core components of a comprehensive cybersecurity program and the percentage of respondents who have that component: security deficiencies reported to the board (95%), security progress reported to board (94%), dedicated CISO (90%), dedicated cybersecurity committee (79%), annual security updates to the board (76%), and board-level committee providing security program oversight (34%).
“Having a dedicated chief information security officer (CISO) and regularly reporting security updates to an executive committee are some of the first steps to mitigating cybersecurity vulnerabilities. However, for most organizations, establishing these security foundations is still a work in progress,” the report observed.
According to the CHIME survey, healthcare organizations with a comprehensive security program are more likely to support security measures, such as data-loss prevention (12% higher adoption), BYOD management (13% higher adoption), database monitoring (13% higher adoption), provisioning systems (14% higher adoption), log management (16% higher adoption), and adaptive risk-based authentication for network access (16% higher adoption).
Some organizations come up short on security fundamentals. For example, 10 percent of respondents don’t have mobile device management, 12 percent lack unique user IDs or physical device locks, 14 percent don’t have encryption for removable storage device, and 18 percent lack encryption for backups.
At the same time, most organizations use firewalls, dispose of devices containing PHI, and secure mobile devices with passwords.
Nearly all organizations use informal mechanisms for sharing cyberthreat information. But fewer than one-third participate in formal cyberthreat information sharing groups, such as the Cyber Information Sharing and Collaboration Program, the National Cybersecurity and Communication Integration Center, or the Healthcare Cybersecurity and Communications Integration Center (now called the Health Sector Cybersecurity Coordination Center).
In terms of disaster recovery, 68 percent of respondents estimated that if a disaster caused total loss of their primary data center, they could restore operations within 24 hours for their clinical, financial, supply chain management, and human resources and staffing systems.
Organizations were asked about their adoption of ten components critical to an incident response plan: 26 percent of organizations have all ten, 43 percent have seven to nine, and 31 percent have fewer than seven.
The ten critical components of an incident response plan are: 1) documented EHR-outage procedures, 2) security/privacy breach notification procedures, 3) tabletop exercise at least annually, 4) disaster-recovery plan tied to business-continuity plan, 5) marketing and communications included in planning and exercises, 6) human resources team included in planning and exercises, 7) other members of organization included in planning and exercises, 8) resource management team included in planning and exercises, 9) legal team included in planning and exercises, and 10) enterprise-wide exercise held at least annually.
Nearly all organizations have some degree of data repository to back up data: off-site backups, 90 percent; off-site redundant data center, 78 percent; storage virtualization, 77 percent; cloud services for other systems, 63 percent; cloud services for clinic systems, 60 percent; infrastructure as a service, 33 percent; and data as a service, 23 percent.
In terms of cybersecurity frameworks, 78 percent of respondents said they use the NIST Cybersecurity Framework, 40 percent use HITRUST, 35 percent use ITIL, 24 percent use SANS, 19 percent use a self-developed framework, and 11 percent use ISACA’s COBIT.
“One of the key objectives of the Most Wired program is to drive change in the industry with the goal of improving patient safety and outcomes,” said Most Wired Board of Governors Chair William Spooner.
“Each participating organization received a benchmarking report to help them assess their strengths and gaps, but we wanted to go beyond just the participants. The trends report is designed to help any healthcare organization identify opportunities to improve and advance our industry,” he noted.