Swinging the Cybersecurity Pendulum: Can New Strategies “Reverse the Curse?” | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Swinging the Cybersecurity Pendulum: Can New Strategies “Reverse the Curse?”

February 28, 2018
by Rajiv Leventhal
| Reprints
Healthcare breach incidents are still far too plenty, but cybersecurity experts are pointing to new strategies around behavioral monitoring and identity and access management as key pieces to solving the puzzle

“It’s not inconceivable that there could be a large infrastructure attack in America and if there was, it could absolutely affect a hospital’s ability to deliver care.”

---Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, in a recent interview with Healthcare Informatics

The healthcare cybersecurity crisis does not seem to be significantly improving, and experts continue to warn us of the potential ramifications. According to the 2017 year-end data breach report from Baltimore-based cybersecurity software company Protenus, last year there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media—compared to 450 reported breaches in 2016 (it should be noted that there was also a drastic decrease in the number of affected patient records—27.3 million records breached in 2016, over five times greater than the number of records affected in 2017). Nonetheless, 2017 still saw an average of at least one health data breach per day throughout the entire year.

At healthcare organizations across the U.S., chief information security officers (CISOs) are deploying new strategies and approaches to cyber defense as they continue to face the new reality that data breaches are at this point becoming expected. In fact, a recent survey of more than 600 CISOs and other information security professionals across multiple industries, conducted by the Ponemon Institute, revealed that two-thirds of respondents believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year.

According to that same survey, when asked what they predict will happen to their organization in 2018, CISOs and other top security leaders indicated that human error actually leads the list of their worries. Sixty-five percent of respondents specifically reported they worry that a careless employee will fall for a phishing scam that results in a credential threat.


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

So what are some ways in which CISOs and other healthcare security leaders are working to fight off cyber attackers and better protect their data? None of the experts who Healthcare Informatics interviewed for this piece believe in any “magic bullet” approach, but more frequently now, leading minds are pointing to a few specific areas in which organizations can improve their strategies—namely, monitoring users’ behaviors and leveraging identity and access management (IAM) protocols.

Advanced Behavioral Monitoring and How it Could Help

CynergisTek’s McMillan, who has long been a strong advocator for cybersecurity strategies that do more than simply “following the rules” and performing traditional audit methods as a manual process, feels that organizations have to think about behavioral monitoring— in which organizations monitor their users at a high level—in terms of “attributes.” What he means by that is just about everything that happens in the system is an attribute—a user, a person, a patient, a time of day, and a location can all be attributes. And the more attributes one can associate with a given series of events, the more accurate one can get with analysis, he says.

Mac McMillan

As such, McMillan opined that using behavioral analytics, when focused on all of these attributes, is more effective than traditional methods that don’t take into consideration these attributes, but rather take in more things that are compliance- or rules-based, and are very limited in the information they look at.

He brings up an example of a nurse working in the ED. There is typically a pattern that emerges after studying numerous nurses in the ED that shows what a nurse’s profile looks like. When a person in that role begins to have a different role or something changes in that profile that’s an anomaly, the system then can alert someone to check up on it since this person isn’t acting like he or she is expected to act in that role.

“That’s the difference in these new behavioral analytics type tools that give you the ability to do more granular analysis, pulling in more attributes than the old manual compliance processes that are literally looking to see if Nurse Betty looked at someone’s record that wasn’t on her floor. And then someone has to go follow that lead and do a bunch of other data collection to figure out if Nurse Betty should have been over there, why was she there, and what were the circumstances? That is very time consuming and inefficient,” McMillan says.

Meanwhile, these [newer] tools can quickly look at everything associated with Nurse Betty and narrow down that this was the day that she was not working in her normal location, but she was assigned somewhere else and saw X patients. “You can quickly identify those events that look [like] outliers,” McMillan explains. He adds that behavioral analytics tools “allow you to study the behaviors of all of the different players in the equation of an event—not just the patient, but the caregiver, whoever was involved in the access, as well as the location and the activity, so you can understand more accurately what’s going on and what is really happening.”

Indeed, while there is a general consensus that behavioral monitoring strategies are becoming increasingly necessary, the question then becomes, how many healthcare CISOs are deploying these methods? And how sophisticated are their processes?

McMillan, for one, attests that healthcare as an industry “is way behind,” but adds that organizations “are now starting to move in that direction as they realize the capability of behavioral monitoring tools.” Meanwhile, Michael Ebert, a Philadelphia-based healthcare and life sciences leader for cybersecurity at KPMG, feels that these tools “are not being utilized at the level they should be.” Ebert says that the behavioral monitoring concept is one that’s tough to deploy in healthcare because most organizations haven’t yet matured their baseline security requirements so that they could even capture and measure that data effectively. He notes, “They don’t have good identity management or good privileged access management in place. They don’t have data analytics tools in place to understand data movement in their enterprise. They might not even understand all the assets associated within their network,” he says,” adding, “They are dealing with fundamental issues.”

One such security leader who is on that journey is Bryan Kissinger, Ph.D., vice president and CISO at Phoenix, Ariz.-based Banner Health, one of the largest health systems in the U.S. Kissinger notes that in some ways his organization is on the advanced side of behavioral monitoring tactics, but in other ways it is behind. In regards to analyzing clinician behavior within patient records, he says that there is technology in place that evaluates a number of inputs such as: the clinician’s job; where he or she physically is doing work; and which patients he or she is looking at, and it makes sure that clinicians are only accessing patient records they should be accessing.

Bryan Kissinger, Ph.D.

But on the side of malicious activity traversing the network or systems behaving the way they shouldn’t be, Kissinger admits, “We’re only at the beginning,” adding, “We’re looking at baselining what is normal behavior for most of our systems. We have implemented some database anomaly monitoring technology to be able to look for normal behavior on our most critical databases, and then alert and take action when that behavior is not considered normal. And that all feeds into our SIM [security information management product],” he says.

IAM and Behavioral Analytics—A Powerful Combination

In addition to monitoring users’ behaviors, the sources interviewed for this article agree that identity and access management (IAM) protocols also need to be deployed, as healthcare data breaches are often caused by unauthorized access or disclosure of information.

KPMG’s Ebert explains that there are two components to identity, with one being the basic concept of managing users and what they access. This is what Ebert calls “joiners and leavers,” referring to those users in an organization who gain access (joiners) and those who have access removed due to changing jobs within the organization or leaving outright (leavers). These users typically have basic functional access to do things such as look at the directory service and send emails.

Then there is more privileged access, Ebert says—the users with admin rights. “Today, in a lot of environments we look at, organizations are still running Windows 7, which principally has more than one authenticated right, so you can [designate] a user versus an administrator. But the user isn’t orchestrated in the right way in that [access] could barely be managed and deployed,” he says. “Windows 10 fixes a lot of that, but most users have administrator rights on their local laptop. They have privileged access. And that’s why so many viruses and forms of attacks can be executed because [people] have admin rights,” Ebert contends. He also brings up the challenge that oftentimes doctors are not in a single hospital, but rather are contracted in. “So they may work in three or four hospitals just in a two-week period. Even full-time doctors can be rotational-based so their access rights have to change based on the role they are playing. You can have three different access rights in the same organization,” he says.

Michael Ebert

As such, Ebert says that once a good identity access process for joiners and leavers has been established, then the behavioral aspect and security modeling could be implemented at a higher level. Indeed, together, Shefali Mookencherry, principal advisor at Naperville, Ill.-based consulting firm Impact Advisors, says that using what she calls “the user and identity behavior analytics” simultaneously can be “very advantageous for organizations.” With traditional SIM tools, Mookencherry notes, “We’re only looking at limited context of a user’s data. We are looking at a snapshot in time of that user. But when we look at both user and entity behavioral analytics tools on top of that, you can start to connect the dots. You can see for example, if an employee is using an application and if he or she is starting to send out emails of internal information with attachments to an outside party,” she says.

Mookencherry, who heads up Impact’s cybersecurity and IT security practice, says she actually encourages organizations to take one more step past two-factor authentication, such as having a password tied with a one-time verification code and then also a fingerprint. “So then it’s three or more [authentications], and that can be cumbersome for users who will hate it because it’s not convenient and it slows them down. But from the security perspective it’s important that those measures are in place,” she says.

Shefali Mookencherry

On the identity side, like most organizations, Kissinger notes that Banner Health has historically had an in-house developed system or that it was done manually. But Kissinger, who has been in his role at Banner for less than a year, says his team is now looking at things from an efficiency and customer service perspective, getting to day-one birthright automated access for all workforce members. “And that access is tracked and governed within the platform such that on a quarterly basis we’re re certifying the access with the workforce member’s manager,” he says.

What’s more, for privileged access, Banner is using a tool to vault privileged passwords and system and privileged accounts in a safe vaulting technology such that database administrators and other privileged users need to go into the vault and check out an encrypted password to be able to escalade privileges from a normal user to an escalated user, Kissinger explains.

And lastly on the identity management front, Kissinger’s team is getting ready to implement a single sign-on tool that allows clinicians to be able to tap their badges on a badge reader—say in an exam room or the ED, or wherever they need to access health record technology—which then single signs them in to all of the applications they need for their job. “It probably saves each clinician five to six hours a week that he or she would normally need to do to manually type in log-ins and passwords to different systems throughout the day. So it’s a security feature but an efficiency one, too,” Kissinger contends.

Could New Strategies Reverse the Trend?

It’s not uncommon to hear in healthcare circles that cybersecurity will “get worse before it gets better,” or that bigger data breaches are on the way, sooner than later. But there is a feeling among the sources interviewed for this article that by investing more energy and effort into behavioral monitoring and identity and access management strategies, the tide could start to shift some.

Indeed, CynergisTek’s McMillan notes that there are “a tremendous number of breaches that occur as a result of insiders doing things they aren’t supposed to, and that’s not going away.” Meanwhile, Kissinger, when speaking about the “human factor,” says simply that “machines, computer and technology don’t make mistakes. Most ransomware is the result of unpatched systems and most systems can’t patch themselves—they require human intervention. He adds, “Humans are the ones who click on phishing emails, upload credentials and download malicious software.”

That said, McMillan attests that investing in behavioral monitoring and identity and access management strategies “can absolutely contribute to a much better environment.” He says that when he has seen healthcare organizations implement these tools and good programs for monitoring, they have experienced a reduction in the number of incidents that occur. “Once users understand that the organization is monitoring proactively and has the ability to accurately identify when they are doing something they shouldn’t be doing, a large majority of folks who did things in the past out of curiosity, or because they thought they could get away with it, will begin to conform to the proper behavior. So you do see a drop in the number of internal issues,” he says.

McMillan and others also make the key point that a shift in how healthcare board leaders think about investing in cybersecurity will be required. He says, “The only way to effectively do a better job of reducing that is spending money on the technology that will allow you to proactively understand what users are doing in real time in the environment.”

Meanwhile, KPMG’s Ebert notes that with organizations spending up to a $500 million on Epic or Cerner EHR (electronic health record) implementations, in addition to new technology for medical treatments, and physical plant investments for the hospital, there often is “not much money left for security.” He adds that “The investment in security has lagged for so long that [organizations] are bolting it on rather than building it in. And it costs so much more to bolt it on—almost two-fold if not three-fold more,” he says.

In the end, Banner Health’s Kissinger says that while these new strategies will make a difference, healthcare is simply an industry in which threats will continue to evolve over time “There’s no limit to the creativity of organized crime or nation state actors to be able to try and get to sensitive information and resources,” he says.

Kissinger adds, “The old analogy of the Golden Gate Bridge applies; you start to paint it on one end and by the time you get to the other end you have to start back at the beginning. We are constantly painting this bridge. You always have your foundational technologies in place, and a lot of us in healthcare are still putting foundational security safeguards in place. Once that’s in place, it becomes what we need to do from a refresh perspective or an emerging technology perspective to keep up with how the threats are evolving.”

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Anthem Agrees to Record Payment—$16M—for Largest U.S. Health Data Breach

October 16, 2018
by Heather Landi, Associate Editor
| Reprints

Anthem, Inc., the second largest health insurance company in the U.S., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations in the largest U.S. health data breach in history.

In early 2015, Anthem, based in Indianapolis, was hit with a series of cyberattacks that led to an unprecedented health data breach that exposed the electronic protected health information (PHI) of almost 79 million people.

The $16 million settlement is a record HIPAA settlement that eclipses the previous high of $5.55 million paid to OCR in 2016, according to a press release from OCR. As part of the settlement, Anthem also agreed to take substantial corrective action.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

As reported by Healthcare Informatics Feb. 5, 2015, the payer announced details of the breach late Wednesday (Feb. 4) in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.”

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

According to OCR, the agency’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” according to the OCR press release.

In the Healthcare Informatics story at the time of the breach, reported by Gabriel Perna, Anthem faced criticism from industry observers for its lack of encryption. Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, said, at the time, that the company was irresponsible for not protecting the data.

“We do not know what they were after and we do not know what they plan to do with the data—what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves,” he said in a statement that was quoted in the story. “It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in—they will always build a taller ladder to climb over your perimeter security - we must protect the data itself.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan can be accessed here.


More From Healthcare Informatics


Minnesota DHS Acknowledges Increase in Targeted Phishing Attacks

October 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Two phishing attacks on employees at the Minnesota Department of Human Services (DHS) resulted in the possible leakage of about 21,000 Minnesotans’ personal information.

The state health agency issued a notice last week that explained over the last several months, several phishing campaigns have targeted Minnesota’s executive agencies, including DHS. Two of these attacks were deemed “successful,” in that hackers—once in June and another time in July—were able to gain access to the state email accounts of two DHS employees, using these accounts to send out spam emails. The agency’s IT department didn’t find out about the attacks until August, officials said.

According to DHS, the two email accounts contained information about some people who have interacted with DHS, including the Minnesota citizens who were notified. Examples of the type of information found in the email accounts at the time they were compromised include: first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information, officials noted.

The agency did add in its notice, “We currently have no evidence that this information was actually viewed, downloaded, or misused.”

According to a report in the Minnesota Star Tribune, this is just the latest cyberattack on Minnesota’s state agencies, “which fend off about 3 million hacking attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies,” according to that report.

In fact, in just the past nine months, “more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming ‘more pervasive and more sophisticated,’” according to the Star Tribune report.

Related Insights For: Cybersecurity


CISOs, CIOs Not Confident in Their Medical Device Security Strategy, New KLAS Research Finds

October 9, 2018
by Heather Landi, Associate Editor
| Reprints
According to a survey of CIOs and CISOs, healthcare organizations have an average of 10,000 connected medical devices
Click To View Gallery

The healthcare industry continues to be bombarded with security attacks, and these cyber attacks are continuously evolving and become more sophisticated over time. At the same time, the healthcare ecosystem has become more connected with the increasing use of Internet of Things (IoT) medical devices, and these medical devices introduce vulnerabilities into healthcare organizations.

Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked, while also posing a threat to the security and privacy of patients’ protected health information (PHI). A recent medical device security report, the result of a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), and the Orem, Utah-based KLAS Research, sheds light on the current state of the medical device security industry. For the report, KLAS interviewed 148 CIOs, chief information security officers (CISOs), chief technology officers (CTOs) and other professionals at provider organizations to gauge their level of confidence in their medical device security strategies, the most common challenges they face, their perceptions of the security and transparency of major medical device manufacturers, and the best practices they leverage to overcome medical device security challenges.

The author of the report, Dan Czech, director, market analysis, cybersecurity at KLAS Research, will provide an in-depth overview of this report and medical device security trends during Healthcare Informatics’ Seattle Health IT Summit Oct. 22-23 at the Grand Hyatt Seattle.

The sheer number of connected medical devices that the average healthcare provider is trying to manage speaks to the tremendous challenge IT security leaders face, says Czech. “We spoke to organizations ranging from small to mid-sized clinics all the way to large multi-hospital IDNs (integrated delivery networks), and everyone in between, and the average number of connected medical devices was just under 10,000 medical devices. You think of the enormity of that problem, for an organization to wrap their arms around the problem of managing 10,000 devices,” he says.

What’s more, respondents reported that, among the thousands of connected medical devices that their organizations are managing, about one-third (33 percent) of those devices are “unpatchable.”


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

According to the research, 18 percent of provider organizations had medical devices impacted by malware or ransomware in the last 18 months, although few of these incidents resulted in compromised PHI or an audit by the Office for Civil Rights, U.S. Department of Health and Human Services (HHS OCR).

Czech notes that there have not been any patient safety events, to date, as a result of a medical device security issue; however, respondents cite patient safety as a top concern. “Let’s take an infusion pump,” he says. “The ability for a bad actor to gain access to that pump and change the dosage of the medication that’s being injected into a human, that is the kind of patient safety issue that we are concerned about.”

Czech continues, “Another way medical device security affects patient safety is if a device is on Windows XP, and WannaCry ransomware hits; if something like that happens, that device is taken out of production. You may have an oncology patient who needs consistent treatment with a medical device, and if you take that out of production, it disrupts patient care and impacts patient safety.”

The report found that most respondents are either neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. Only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care. Thirty-one percent said they were unconfident or very unconfident, and another 30 percent were neutral. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.

Those healthcare leaders who expressed confidence most often point to their security processes and policies, including access limitations, network segmentation and regular device monitoring and risk assessment, as the source of their confidence, followed by strong technology. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies, according to the report.

“Respondents who report they are more confident also are those that have a clear line of ownership, not a shared responsibility,” Czech notes.

Those respondents that lacked confidence in their medical device security cited lack of manufacturer support as the top reason. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to. “Asset and inventory visibility is the basic blocking and tackling of medical device security strategy—you can’t protect what you don’t know. They are looking for tools and processes that they can put in place that will help them understand all the devices they have, what’s connected to their networks, and some cases, what software is on the devices” Czech says.

What’s more, 76 percent of provider organizations report that their resources are insufficient or too strained to adequately secure their medical devices.

More Manufacturer Support and Collaboration Needed

Taking a deep dive into the root causes of medical device security struggles, the report finds that interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. Most provider organization see this issue as one of shared responsibility. As one CISO explained in the report, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”

According to Czech, the research findings indicate there is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations (93 percent) have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves, or void warranties if they do.

Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security.

However, the industry is beginning to shift, Czech notes. "Many provider organizations have drawn a line in the sand to say all contracts now and going forward will include standardized security contract language," he says. "This trend has been led by forward-thinking provider organizations and it also has benefited smaller organizations that may not have the legal teams or the cybersecurity teams that bigger organizations have, but they can use that standardized language in their contracts as well."

What’s interesting, Czech notes, is that many respondents spontaneously brought up frustrations regarding the role of the U.S. Food and Drug Administration (FDA) in medical device security, though KLAS did not specifically ask respondents about it. “It gets back to shared responsibility,” he says. “Respondents feel that manufacturers have a stake in this, they have a stake in this, but so does the FDA. Predominantly, the concern that they shared was that their manufacturer would hide behind their perceptions of the FDA regulations."

Almost two-thirds of respondents said manufacturers blame FDA policies, claiming the policies prevent them from making devices more secure. About a third said FDA policies are unclear, giving manufacturers ways to skirt around responsibility and a third said that even when policies are clear, the FDA doesn’t hold manufacturers accountable, according to the report.

Cybersecurity Programs Advancing Forward

According to the research, organizations are increasingly adopting a number of best practices to strengthen medical device security. There are foundational best practices that organization should implement, such as performing risk assessments, ensuring the inclusion of security provisions in their contracts, and ensuring they receive a software bill of materials, Czech notes. Organizations also report using the most common and basic defense techniques such as network segmentation, antivirus software, and vulnerability scanning to ameliorate security risk.

With regards to organizations’ patching strategies, many provider organizations have begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.

Providers also are leveraging third-party solutions to improve medical device security, with nearly 75 percent of respondents currently using or planning to use third-party software or services, according to the report. Network access control (NAC) is most often used to segment networks and approve/deny access. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering as well.

Looking at overall cybersecurity trends, the report indicates that organizations are investing more resources, both operationally and financially, in their cybersecurity programs. Almost 70 percent of organizations (68 percent) report having a VP or C-level leader in charge of the security program, and that’s up from only 42 percent in 2017, representing a 26-percent increase.

“Large IDNs are definitely leading the way with CISO leadership, as about 80 percent of their organizations have a CISO in charge, whereas if you look at clinics and community hospitals, those would be hospitals under 200 beds, only less than 10 percent have a CISO in charge,” Czech says. “Many of those smaller organizations have a CIO that wears two hats—an IT hat and a security hat.”

Organizations also reported improvements to security programs compared to a year ago. Twenty-seven percent considered their security programs to be fully functional and 47 percent said they were developed or starting to function in 2018, compared to 16 percent and 41 percent, respectively, in 2017.   

More than half of organizations (57 percent) report that security is an agenda item at board meetings monthly or quarterly. In addition, 83 percent of organizations have increased their security budget in the last two years, and, on average, budgets increased by 85 percent, according to the report.


See more on Cybersecurity