The sector is now making security a top priority, hiring CISOs, undertaking threat management and penetration testing, all more than ever.
By Tom Sullivan August 10, 2017
Despite the consensus that healthcare is widely underprepared for protecting patient data, more and more hospitals are making cybersecurity a significant clinical and business necessity than in the past.
“The healthcare sector is taking cybersecurity very seriously and making it a priority,” said Lee Kim, director of privacy and security at HIMSS. “I was very surprised to see so many respondents doing penetration testing, and hiring CISOs or other senior security leaders, and having insider threat management programs.”
Indeed, taking cybersecurity more seriously begins with bringing onboard a security executive. And while much has been reported on the staffing crisis, HIMSS found that 60 percent of the 126 IT leaders it surveyed said they currently have an infosec leader, whether that person’s title is chief information security officer or something else.
[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]
It follows that hospitals and systems with CISOs put frameworks such as NIST in place, conduct due diligence when purchasing security products, run education and user training programs, and provide security staff training.
What’s more, 75 percent of respondents have insider threat management programs, 85 percent conduct risk assessments at least once a year, and 75 percent regularly run penetration testing.
All this is not to say the cybersecurity problem in healthcare will soon be solved. It won’t.
Security is not a one-time fix — and, bluntly, there are still those 25 percent of hospitals not doing enough to proactively quell the insider threat or running pen testing, not to mention the 15 percent that fail to conduct annual risk-assessments. Even among the 71 percent of respondents who said their healthcare organization dedicates financial resources to cybersecurity, more than half listed it as 3 percent of the overall budget.
But Lee said the research is encouraging. As is the fact that study participants ranked risk management, incident response, business continuity and disaster recovery as well as cloud and website security among their top priorities.
But is that enough to declare a turning point for an industry riddled with data breaches, widely viewed as a ripe target for hackers and other cybercriminals, and facing a talent shortage?
“The answer,” Lee said, “is a resounding yes.”
Lee will share the HIMSS research and insights from the findings at the upcoming HIMSS and Healthcare IT News Healthcare Security Forum, in Boston Sept. 11-13, 2017. Register here.