Following up on the August 9 release of the results of the 2017 HIMSS Cybersecurity Survey, published by the Chicago-based Healthcare Information and Management Systems Society (HIMSS), HIMSS leaders organized a cybersecurity roundtable for the healthcare IT press on Friday, September 8, at its Chicago headquarters.
During the roundtable, Rod Piechowski, senior director, health information systems, at HIMSS, answered questions from the assembled members of the press, and elaborated his thoughts on some of the survey’s findings. The survey was conducted online between April and June, and obtained responses from 126 U.S.-based health information security professionals. Among those who responded, 54 survey respondents indicated that they worked at the “executive management” level, 51 said they worked at the “non-executive management” level (defined as “mid-level or senior management, but not executive-level”), and 21 were “non-management,” including “analyst, specialist, etc.”
In addition, 79 respondents said they have primary responsibility for information security in their organizations; 32 said they have “some responsibility” for information security; and 15 indicated that they “sometimes, as needed,” have such responsibility. Meanwhile, with regard to their organizations, 63, or 50 percent, work in acute-care provider organizations; 15, or 11.9 percent, work in non-acute-care provider organizations; 10, or 7.9 percent, work in “business associate” organizations; and 38, or 30.2 percent, work in “other” organizations, which can be health IT vendors, consulting firms, or payer organizations.
Among the key findings of the survey:
> With regard to the percent of their overall healthcare organization’s budget that is currently allotted to cybersecurity, 11 percent said more than 10 percent; 17 percent said 7-10 percent; 32 percent said 3-6 percent; 36 percent 1-2 percent; and 7.9 percent indicated zero percent.
> Asked whether their organization employed a “senior information security leader”—someone with a chief information security officer (CISO) title or similar, 60 percent indicated that their organization had designated such an individual.
> Asked whether or not they had an insider threat management program, 40 percent indicated that they had such a program and that it was formal, with formal policies in place; 35 percent have such a program, but indicated that it is “informal”; 21 percent have no such program; and 5 percent didn’t know whether they had one or not.
> Asked how often their organization conducted a security risk assessment, 9 percent indicated daily; 10 percent, once a month; 8 percent, once a quarter; 7 percent, once every six months; 51 percent, once every year; 1 percent, once every two years; 2 percent, once every three years; 2 percent, less often than every three years; 6 percent conduct no security risk assessments; and 6 percent didn’t know.
> With regard to penetration testing 3 percent of respondents indicated that their organization performed penetration testing daily; 7 percent, weekly; 18 percent, monthly, 38 percent, yearly; 9 percent, “other”; 15 percent said their organization did not perform penetration testing; and 10 percent didn’t know.
> With regard to the variety of cybersecurity frameworks available, 62 percent of respondents said that their organization uses the NIST Cybersecurity Framework; 25 use the ISO framework; 25 percent use the HITRUST framework; 22 percent use the Critical Security Controls framework; 11 percent use the COBIT framework; 8 percent use a framework from another organization; 12 percent use no cybersecurity framework; and 2 percent did not know.
> Meanwhile, with regard to cloud-based computing, the following were the top concerns of hospital-based survey respondents: ownership of data (53 percent); lack of cybersecurity (53 percent); lack of geographical restrictions (44 percent);lack of transparency (42 percent); insider threat (41 percent); costs and fees (37 percent); migration of data (37percent); lack of physical security (27 percent); and lack of availability, and downtime (25 percent).
> Among non-hospital respondents, the results were somewhat different, and were as follows: insider threat (44 percent); lack of cybersecurity (41 percent); ownership of data (36 percent(; costs and fees (32 percent); lack of physical security (26 percent); migration of data (24 percent); lack of transparency(21 percent); lack of geographical restrictions (18 percent); and lack of availability, and downtime (18 percent).
Piechowski, dialoguing with the healthcare IT journalists present on Friday, was asked about perceptions of the risk of cloud computing in healthcare, and whether hesitation on the part of some CIOs to move further into cloud computing, could be attributed to IT security concerns. “Yes,” he said, in response to a question, “a lot of healthcare organizations are moving into the cloud; and, while on the one hand, it takes away the burden of having to maintain an IT department, on the other hand, there are trust issues.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.