Posted in Breaches

Healthcare providers finally may be getting serious about cybersecurity

Chris Nerney
Chris Nerney, Contributing Writer |
Healthcare providers finally may be getting serious about cybersecurity

Escalating attacks on healthcare IT systems have caught the attention of hospital decision-makers.

A new poll of healthcare provider IT leaders by HIMMS (Health Information and Management Systems Society) shows that hospitals and other provider organizations increasingly are investing in cybersecurity.

Among the highlights of the 2017 HIMSS Cybersecurity Survey:

  • 71 percent of respondents said their organizations allocate specific budget toward cybersecurity
  • 80 percent of organizations employ dedicated cybersecurity staff
  • 60 percent of organizations “employ a senior information security leader, such as a Chief Information Security Officer (CISO)”
  • 75 percent “have some type of insider threat management program at their organization”
  • 85 percent say they conduct a risk assessment at least once a year
  • 75 percent say they “regularly conduct penetration testing”
  • Patient safety, data breaches and malware were the top three concerns regarding medical devices

Those are fairly healthy numbers – particularly for a sector not known for its robust security posture. That being said, the relatively low percentage of organizations with senior security officers indicates that even those who answered affirmatively to other questions in the survey regarding cybersecurity preparedness may lack a cohesive strategy.

“Organizations with a CISO or other senior security leader tend to adopt holistic cybersecurity practices and perspectives in critical areas, including procurement, education/training and adoption of the NIST Cybersecurity Framework,” HIMSS said.

Lee Kim – director of privacy and security at HIMSS who present the survey findings at the upcoming HIMSS and Healthcare IT News Healthcare Security Forum in Boston September 11 to 13 – said the results are encouraging.

“The healthcare sector is taking cybersecurity very seriously and making it a priority,” Kim tells Healthcare IT News. “I was very surprised to see so many respondents doing penetration testing, and hiring CISOs or other senior security leaders, and having insider threat management programs.”

A study released in February 2017 by healthcare security vendor CynergisTek concluded the number of providers victimized by hackers in 2016 was up 320 percent over the previous year. 

In early June a task force created by the Department of Health and Human Services (HHS) blasted the U.S. healthcare system for being unprepared to handle the data security challenges of an interoperable world.