With all the recent headlines and developments around data security breaches, hacking incidents, and even ransomware attempts, hitting U.S. patient care organizations, one might think that CIOs, their fellow c-suite executives, and hospital and medical group boards of directors might be farther along on their data cybersecurity journey. In fact, a new survey-based study has found, there is real reason for concern. During HIMSS16 in Las Vegas earlier this month, leaders from HIMSS Analytics, a division of the Chicago-based Healthcare Information & Management Systems Society, and from the Mountain View, Calif.-based Symantec, released the results of a new study, entitled “Healthcare IT Security and Risk Management Study.” David Finn, the health IT officer at Symantec, released and described some of the results on Wednesday, March 2, on the exhibit floor of the Sands Expo in Las Vegas, during HIMSS16.
The survey was conducted online in December 2015, and received 115 online respondents. Then interviewers pursued 10 phone interviews with CIOs and other healthcare IT leaders, in order to obtain more richness of detail from the online survey results.
With regard to the respondents, 38.3 percent represent hospitals and health systems with 501 or more beds; 26.2 percent represent hospitals and health systems with 251-500 beds; 36.5 percent represents hospitals and health systems with 101-250 beds; and none represent hospitals and health systems with fewer than 100 beds.
Among the numbers important findings:
- When asked what percentage of their total IT budget (operating and capital) is devoted to IT security, 51.6 percent said 0-3 percent; 28.6 percent said 4-6 percent; 9.9 percent said 7-10 percent; and 9.9 percent said more than 10 percent.
- Asked how many employees from both inside and outside IT are allocated to IT security in their organization, the results were as follows: fewer than 1 inside IT, 12.0 percent, fewer than 1 outside IT, 55.9 percent; 1-5 inside IT, 60.2 percent, 1-5 outside IT, 32.5 percent; 6-10 inside IT, 10.2 percent, 6-10 outside IT, 2.9 percent; 11-20 inside IT, 8.3 percent, 11-20 outside IT, 20.0 percent; 21-30 inside IT, 3.7 percent, 21-30 outside IT, 1.0 percent; more than 30 inside IT, 5.6 percent, more than 30 outside IT, 5.9 percent.
- The adjusted total average number of IT employees devoted to IT security was 9.9 FTEs.
- With regard to how often IT security was discussed at their organizations’ board meetings, 53.9 percent said it was discussed “upon request of the board or executive management”; 20.9 percent said, “at most board meetings”; 10.4 percent said, “at every board meeting”; 7.8 percent said, “never”; and 7.0 percent said, “other.”
- Unfortunately, only 46.09 percent of respondents are currently addressing data security threats potentially coming through their organizations’ medical devices, though 33.04 percent are “beginning” to do so, and another 16.52 percent “plan to do so.” The percentages of respondents whose organizations are already addressing IT security on mobile devices and on cloud-based applications are higher, at 69.57 percent and 61.74 percent, respectively.
Finn, a former hospital CIO, spoke this week with HCI Editor-in-Chief Mark Hagland regarding the study. Below are excerpts from that interview.
There are a lot of significant results to talk about from this survey and study. Were you surprised by any of the results involved?
You know, that’s a great question. We get that asked a lot. And honestly, since I’ve been doing this for so long, the only surprising thing is, here we are 13 years down the road from the privacy act, and 11 years down the road from the security act, and the only thing surprising to me is that we still haven’t done very much, substantively speaking. Independent Security Evaluators, ISE, did a survey, too.
We haven’t addressed some of the real issues like medical devices; and we still haven’t addressed issues like cloud and mobile devices. And we still approach it from this kind of “check-the-box” perspective, as though it’s a compliance issue, and compliance doesn’t protect you, you’ve still got to be secure.
The now-infamous ransomware situation unfolded at Hollywood-Presbyterian Medical Center after the survey had been completed. What do you think of that situation in the context of the survey/study?
I went directly to HIMSS from a week on the road, and my weeks on the road are typically with customers. And every customer that week before HIMSS had noted an uptick in ransomware attempts. And these are not purely Symantec customers, they also have other products. And they all made it through those ransomware attempts; one struggled, but they all made it through. And there was some bashing about Hollywood Presbyterian paying the ransom. But the thing is, this is not a security problem. When Hollywood Presbyterian paid the ransom, it wasn’t to get data back or turn systems on, it was because they couldn’t take care of patients. This is not a security issue, it’s a patient care issue. And this will continue to happen. And it really needs to become a concern of the c-suite—and CIOs need to communicate that to the c-suite.
What do CIOs need to do to get their fellow c-suite leaders engaged around data security right now?