Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey.

The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure.

This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME.

The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major challenge.

To address cybersecurity threats, many healthcare organizations have invested heavily in IT solutions and new technologies to secure their systems and data. A growing number of healthcare organizations have now adopted cybersecurity frameworks such as those developed by NIST and HITRUST, rather than relying on their own self-developed frameworks.

A comprehensive cybersecurity framework is an important component of any cybersecurity program, although CHIME has identified six other core building blocks of security that should be incorporated into healthcare security programs. These are:

  • Appointing a dedicated Chief Information Security Officer (CISO)
  • Progress tracking
  • Reporting of security deficiencies
  • Creating a governance committee dedicated to cybersecurity
  • Conducting security board meetings at least annually
  • Ensuring board-level oversight of cybersecurity

Appointing a dedicated CISO to oversee security and reporting security updates and progress toward security goals to an executive committee are important first steps to mitigate vulnerabilities, yet these foundational elements are still being developed by many healthcare organizations. Only 29% of healthcare organizations that took part in the survey said they had a comprehensive cybersecurity program in place that covered all of the above requirements.

Healthcare organizations were most likely to report security deficiencies (95%) and security progress (94%) to the board, but only 90% had a dedicated CISO. Only 79% had a dedicated cybersecurity committee, and just 34% had a board-level committee providing oversight of the security program.

Virtually all healthcare organizations that took part in the study had implemented firewalls and authentication controls and securely disposed of devices containing ePHI, but many other important safeguards were lacking. For instance, 10% of organizations lacked mobile device management solutions, 12% did not have unique user identifications or physical device locks, 14% did not use encryption on removable storage devices, and 18% were not yet encrypting data backups.

No man is an island, and the same is true of healthcare organizations. Accessing and sharing knowledge, best practices, and threat information is an important part of any cybersecurity program. While most healthcare organizations used at least one information sharing and analysis organization (ISAO), fewer than a third communicated with formal groups such as the Cyber Information Sharing and Collaboration Program (CISCP), National Cybersecurity & Communication Integration Center (NCCIC), or the Health Cybersecurity & Communication Integration Center (HCCIC).

The survey also assessed healthcare organizations’ ability to recover from disasters. Only 68% of organizations said they were confident that if an event wiped out their primary data center they would be able to restore clinical, financial, supply chain management, HR, and staffing systems within 24 hours.

CHIME identified ten critical elements of a comprehensive incident response plan:

  • Documented EHR outage procedures
  • Security/privacy breach notification procedures
  • Tabletop exercises conducted at least annually
  • Disaster recovery plans linked to business continuity
  • Marketing & communications team included in planning and exercises
  • HR team involvement in planning and exercises
  • Other members of the organization involved in planning and exercises
  • Resource management team involvement in planning and exercises
  • Legal team involvement in planning and exercises
  • Enterprise-wide exercises held at least annually

Only 26% of healthcare organizations had all ten elements, 43% had between 7 and 9 in their disaster response programs, and 31% had fewer than 7. Most organizations said they used a data repository to back up data and most used off-site data storage for backups.

While it is certainly encouraging that improvements are being made, there is still considerable room for improvement to bring cybersecurity programs up to the necessary standard.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.