Healthcare organizations are doing more than ever to protect their data from cyber-attacks, according to the 2017 HIMSS Cybersecurity Survey released this past summer.
But nearly 30% of HIMSS survey respondents still do not dedicate a specific portion of their budget to cybersecurity, and the healthcare sector’s cybersecurity performance lagged behind many other industries in the 2017 U.S. State and Federal Government Cybersecurity Report – 13th out of 18 industries studied.
HIMSS – the Healthcare Information and Management Systems Society – is a non-profit organization with more than 68,000 members, focused on the use of information technology in healthcare. Its organizational goals include furthering the cause of digital technology to help medical professionals improve outcomes and cost-effectiveness.
HIMSS helps organizations and health IT professionals keep pace with rapidly changing security needs, especially when it comes to patient data and interactivity among medical devices that are woven into the Internet of Things (IOT). The annual Cybersecurity Survey is a way for HIMSS to gauge progress and provide context when it comes to efforts to defend against the ever-present threat of internet-based attacks on the healthcare industry.
What the HIMSS Survey Showed
The 2017 HIMSS cybersecurity survey gathered responses from 126 information technology leaders in the healthcare field. Key findings included:
- 60% of respondents said their organization employs a senior cybersecurity professional, such as a Chief Information Security Officer.
- Organizations with a senior cybersecurity official on board are more likely to adopt the most recent cybersecurity framework recommended by the National Institute of Standards and Technology.
- 75% of respondents said their organizations have incorporated an insider-threat-management program.
- 85% of respondents said their organizations conduct a risk assessment at least once per year.
- 75% of respondents conduct penetration testing on a regular basis.
In addition, the survey revealed that the three most-pressing cybersecurity concerns are:
- The security of connected medical devices
- Patient safety
- Malware attacks from external sources
The report also found that information security professionals with acute care providers have more-specific cybersecurity concerns than those at non-acute care providers. The primary concern for acute care providers, according to the HIMSS report, is a potential vulnerability caused by inconsistent third-party security policies and practices.
Assessing Cybersecurity Threats
While the HIMSS Cybersecurity report is an important source of information for health-related cybersecurity professionals, its results should be considered alongside those of the concurrent government cybersecurity report. The HIMSS report is focused primarily on how healthcare organizations are responding to threats, while the government report is concerned with a broader scope across several industries and state and federal agencies.
The government report uses data gleaned from web applications, network security, leaked credentials, hacker chatter, social engineering, exposed administrative portals, domain name system health, pathing frequency and cadence, endpoint security and malware presence.
Interestingly, the government report found that the food and entertainment industries were the best and second-best-performing industries in cybersecurity. Education was last out of the 18 industries in the report.
Where the healthcare sector performed the most poorly were in endpoint security (16th out of 18) and social engineering (also 16th out of 18).
When it comes to “hacker chatter,” there is good news and bad news for healthcare. The only industry that was graded with better performance in detecting threatening chatter was the pharmaceutical field. While it’s good news that the chatter was detected, it’s also an indication that there is far more information to detect – leading to the logical conclusion that healthcare is a hugely tempting target for hackers.
The HIMSS report concludes that the strengthening of cybersecurity in the healthcare industry has been driven over the past few years by heightened awareness of cyber threats, increased knowledge across the industry about how to combat cyberattacks and a focus on best practices industry-wide.