Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs

The College of Healthcare Information Management (CHIME) has explored the deepest, darkest fears of healthcare chief information (CIOs) and chief information security officers (CISOs) in a recent survey, the findings of which were presented to the Department of Health and Human Services Cybersecurity Task Force this week.

The survey, which was conducted on 190 CHIME and Association for Executives in Healthcare Information Security (AEHIS) members, explored the biggest perceived threats to healthcare data and some of the challenges faced by the industry. Opinions were also sought on some of the most important ways the federal government could help CISOs/CIOS share cybersecurity information.

Respondents were asked to rate threats from 1 to 5 based on their level of concern, with 1 being their biggest concern. Data theft came top with an average rating of 1.75. Social engineering was second with an average rating of 1.88. While the risk from insiders was third with an average rating of 2.36.

Perhaps unsurprisingly given the number of reported ransomware and malware infections in recent months, respondents believed these were the main ways that cybercriminals were exploiting weaknesses.

When asked to rate their potential security exploits, ransomware was the biggest concern with an average score of 1.49. Malware was second with a rating of 1.65, followed by hacking with a rating of 1.99. The security vulnerabilities of most concern were data exposure (1.77), security misconfiguration (2.09), and poor authentication/session management (2.23).

Respondents agreed that compared to a year ago their organization was much better prepared for security incidents, could discover incidents faster, and is now in a better position to be able to recover from security incidents.

In order to help CISOs/CIOS share cybersecurity information more easily and faster, the best strategy for the federal government to adopt would be to incentivize participation in Information Sharing Organizations (ISOs) and Information Sharing Analysis Organizations (ISAOs). In second place was requiring manufacturers to have to report cyber risks to provider directly and not just US-CERT, and for the federal government to create tools aimed at providers of different sizes and levels of resources.

According to Marc Probst, chair of the CHIME board of trustees and CIO at Intermountain Healthcare “New payment and delivery models are creating a more connected healthcare system than ever before, but we need our partners in the federal government to understand the risks that are out there and to work with us on finding common sense solutions.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.