Less Than a Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

54850747 - security threat on a network with moving data

The 2018 CHIME Healthcare’s Most Wired survey has revealed many healthcare organizations do not have a comprehensive cybersecurity program. The annual survey investigates the extent to which healthcare organizations have implemented health information technology and identifies the ‘Most Wired’ organizations with the most extensive IT infrastructure.

This year, the CHIME report shows many healthcare organizations have gaps in basic technologies as well as security and disaster recovery strategies. Because of greater usage of networked medical equipment and IoT technology, the attack surface has grown substantially in the past few years. Addressing data privacy and system security risks is therefore a major challenge.

Healthcare organizations are investing in technology to secure their networks and medical devices and many have now adopted cybersecurity frameworks such as those developed by NIST and HITRUST to improve security, however security gaps still remain.

In order for a cybersecurity program to be considered comprehensive, CHIME believes six key building blocks must be integrated into a healthcare security program:

  • The appointment of a Chief Information Security Officer (CISO)
  • Progress tracking
  • Reporting of security gaps
  • Forming a governance committee focused on cybersecurity
  • Having security board meetings at least once a year
  • Making sure there is board-level oversight of cybersecurity

Just 29% of the healthcare organizations that participated in the survey said they have a comprehensive cybersecurity program including all of the above building blocks. Assigning a CISO to supervise security and reporting security issues to an executive team are important foundations of a cybersecurity program.

94% of healthcare organizations reported security progress and 95% reported security deficiencies to the board. However, only 90% of the healthcare organizations had appointed a dedicated CISO, only 79% had formed a dedicated cybersecurity team, and just 34% had established a board-level committee to supervise the security program.

Almost all participants in the survey reported having implemented authentication controls and firewalls and ensured the secure disposal of devices that contain ePHI. However, many still lack important safeguards such as mobile device management solutions (10% of organizations), unique user identifications or physical device locks (12%), encryption on portable storage devices (14%), and encryption of data backups (18%).

Although the majority of healthcare organizations utilized at least one information sharing and analysis organization (ISAO), less than 33% communicated with formal groups like the Cyber Information Sharing and Collaboration Program (CISCP), the Health Cybersecurity & Communication Integration Center (HCCIC) or the National Cybersecurity & Communication Integration Center (NCCIC).

The survey additionally evaluated the ability of healthcare organizations to recover quickly from disasters. Only 68% of surveyed organizations claimed they were are capable of restoring financial, clinical, supply chain management, HR and staffing systems within 24 hours if their primary data center was taken out of action.

CHIME listed ten vital elements of a comprehensive incident response program:

  • Documentation of EHR outage procedures
  • Security/privacy breach notification procedures
  • Tabletop exercises done yearly
  • Disaster recovery plans connected to continuity of business
  • Including the marketing & communication committee in planning and exercises
  • HR team participation in planning and exercises
  • Involvement of other members of the organization in planning and exercises
  • Involvement of the resource management team in planning and exercises
  • Involvement of the legal team in planning and exercises
  • Holding yearly enterprise-wide exercises

Only a quarter (26%) of healthcare organizations reported that they were satisfying all ten requirements. 43% have between 7 and 9 elements of the above list, and 31% had fewer than 7.