Survey: Cybersecurity Getting More Attention at the C-Suite and Board Level | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Cybersecurity Getting More Attention at the C-Suite and Board Level

February 21, 2017
by Heather Landi
| Reprints

Cybersecurity has been elevated to a central concern for healthcare providers, with more attention at the board level and the C-suite, according to a new survey by Orem, Utah-based KLAS Research and the College of Healthcare Information Management Executives (CHIME). The study found that 42 percent of organizations have a vice president or C-level official in charge of cybersecurity and for 39 percent of organizations, the head of cybersecurity is at the director level.

The survey finding also indicate that cybersecurity issues are increasingly making it to the board level as 62 percent of respondents report that security is discussed quarterly at board meetings.

The 271-page report, titled “Cybersecurity 2017: Understanding the Healthcare Security Landscape,” studies profiled provider adoption of and experiences regarding specific cybersecurity solutions, including data loss prevention (DLP), identity and access management (IAM), mobile device management (MDM), and security information and event management (SIEM).

In partnership with CHIME, KLAS conducted nearly 200 interviews of chief information security officers, CIOs, chief technology officers and other security professionals. To cover the largest number of impacted providers and patients, the research targeted mainly larger multihospital organizations (IDNs) and hospitals, with some additional input from large physician practices (75+ physicians), according to KLAS.

The study found that 16 percent of providers—mostly large hospitals or integrated delivery networks—reported having “fully functional” security programs. Another 41 percent reported that they’ve developed and are starting to implement a program. However, close to half of respondents (43 percent) reported that their organization’s security program was either “developing” or “not developed.” Smaller hospitals and physician practices lagged behind in their program development.

Eighteen percent of survey respondents reported that 7 percent or greater of their total IT budget was dedicated to security while 14 percent of respondents said spending on security made up about 5 to 6 percent of their IT budget. The largest segment, 41 percent of respondents, reported dedicating 3 percent or less of their IT budget to security, while 27 percent placed their security spending at between 3 to 4 percent of their total IT budget.

Additionally, when asked to gauge their breach readiness level, close to 80 percent of respondents reported their organization had a cyber liability and breach insurance in place and 72 percent reported they had a breach policy and playbook created while 67 percent reported they had a breach incident team created. Six percent said they didn’t know their breach readiness level.

Other key findings of the study included:

  • 55 percent of respondents reported that encryption is the most common way of securing connected endpoints on their networks, followed by antivirus/malware systems at 42 percent and mobile device management (MDM) at 33 percent
  • 63 percent of respondents reported that security information and event management (SIEM) is the most common method for detecting phishing and ransomware attacks followed by Intrusion Detection (26 percent) and end-user reporting (15 percent)
  • 39 percent of respondents reported that an incident-response plan/policy is the most common method for responding to attacks, followed by incident-response teams (34 percent) and then services firm/insurance (20 percent)
  • 75 percent of respondents reported that they are following the National Institute of Standards and Technology Cybersecurity Framework; 31 percent are following HITRUST
  • 84 percent of organizations are using training to ensure employees understand and follow security policies
  • 76 percent of organizations do external risk assessments on at least an annual basis


“Healthcare organizations take their responsibility for protecting patient information and their data networks very seriously,” CHIME president and CEO Russell Branzell said in a statement. “As healthcare continues to march toward greater integration and information sharing across the continuum, we must become more vigilant in protecting data networks. Security has to be seen as an organizational priority. It is encouraging to see more C-level executives and boards taking greater responsibility for the issue.”

“Providers are embracing cybersecurity and report that vendor solutions are becoming more robust and responsive to provider’s needs,” Garrett Hall, director of cybersecurity for KLAS, said in a prepared statement. “However, cybersecurity remains a significant challenge for many providers, and the healthcare industry as a whole.”


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.