HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization.

The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas.

The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months.

While these results are encouraging, there is still considerable room for improvement. 15% of organizations are not conducting annual risk assessments and 25% do not have an insider threat management program, even though insiders are the biggest cause of healthcare data breaches.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

HIMSS says, “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”

A majority of respondents have adopted at least one cybersecurity framework, the most popular being the NIST CSF (62%) followed by HITRUST CSF (25%) and ISO (25%). Organizations that have hired a CISO are much more likely to implement a cybersecurity framework. Only 5% of organizations with a CISO have not adopted the NIST CSF.

Healthcare organizations now appreciate the importance of conducting regular security awareness training for the workforce, such as training employees how to recognize phishing emails and social engineering attacks and the importance of reporting potential security incidents to the IT department. 87% of respondents said they run security awareness training sessions for the workforce at least once a year.

60% of respondents said they now employee a senior information security leader such as a CISO to oversee their cybersecurity programs and 80% have dedicated cybersecurity staff.

71% of respondents said they divert some of their budget to cybersecurity, with 60% allocating 3% or more of their budget to their cybersecurity program.

When asked about the biggest threats, the greatest concerns were medical device security, patient safety – especially in relation to attacks on medical devices – PHI breaches, and malware.

Rod Piechowski, senior director, health information systems, HIMSS said, “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”

Full details of the findings of the HIMSS 2017 Cybersecurity Survey are available on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.