Health Data Security: Making Progress?CISOs, Analysts React to Findings of 2017 HIMSS Cybersecurity Survey
Yet another survey confirms that despite high-profile cyber threats, many healthcare organizations still have relatively skimpy information security budgets - a continuing area of concern for CISOs.
See Also: Threat Intelligence - Hype or Hope?
The Healthcare Information and Management Systems Society's 2017 Cybersecurity Survey, based on feedback from 126 U.S. health information security professionals, found that only about 71 percent of respondents were able to even identify the percent of their organization's budget allocated for cybersecurity. Of those, 60 percent say cybersecurity represented 3 percent or more of the budget, while the rest say the percentage is lower.
The skimpy cybersecurity budgets at many healthcare entities are truly worrisome, says Cris Ewell, CISO at UW Medicine in Washington state, which includes four medical centers.
"The most concerning overall trend is the continued low funding and lack of senior support for the information security programs in healthcare, Ewell says. "Even with an incident, the priority and attention to information security start to decrease after a few years. This is one of the areas that absolutely needs a top-down approach - from the board of directors to the executives. They all must be on board with the change in culture and the ability to address the competing priorities that may sideline information security initiatives."
Key Survey Findings
Among the survey's other findings:
- Some 86 percent of respondents say their organization has adopted a cybersecurity framework. The most commonly adopted is the National Institute of Security and Technologies cybersecurity framework.
- The vast majority of respondents say that they conduct a risk assessment at least once a year.
- But only about a third of respondents say their organizations conduct penetration testing on an annual.
Healthcare entities often face challenges in setting and executing cybersecurity priorities that get the best results, Ewell notes.
"Overall, all of us in the healthcare industry have to move to an information security program based on risk that addresses risk throughout the enterprise on a daily basis," he says. "The process must be built into the program and not thought as a one a year - or even longer - activity.
"There is certainly value in having external agencies take a look at your information security risk program and addressing how the program is performing and analyzing any risks you may not be addressing - i.e. a second set of eyes and different methodologies are helpful," he says. "But the long periods between the assessments are no longer adequate to address our advance adversary and current threats against healthcare. "
Ewell says his top security priorities this year include improving risk management activities across the entire UW Medicine enterprise. Those activities involve improving understanding of all assets and their vulnerabilities, bolstering threat intelligence and developing improved monitoring capabilities to better detect "the highly skilled adversary."
In the year ahead, all healthcare organizations should take several steps, he suggests, including: getting boards and executives involved in reviewing information security risks; continuing targeted information security awareness and training to address current threats; and working to reduce the vulnerabilities of healthcare devices and systems.
"We need to continue to inform and educate senior leaders about the ever evolving threat and the risk they pose to our organization," adds Phil Curran, chief information assurance officer and chief privacy officer at Cooper Health in Camden, N.J. "We cannot lose the momentum we have gained; it is so hard to get back once we lose it."
Top priorities for healthcare organization, Curran suggests, should include medical device security, third-party security and training of employees.
"The use of [medical] devices continues to grow exponentially along with the requests to have their data interfaced into the electronic medical record, and rightfully so," Curran says. "However, we need to consider the privacy of the data so we need to complete a risk assessment for each device that will store or transmit data."
Third-party vendors "truly need to understand they are an extension of our organization," he adds. "Therefore, they should be protecting our patient information with as much care and diligence as our organization. Patient's only see the organization, not the third party."
And when it comes to employee education, "we need to change the culture of our employees from one leaning toward convenience to one where they understand why we have the controls in place and their role in complying with the controls," Curran says.
Room for Improvement
Susan Lucci, chief privacy officer and senior consultant at health data security consulting firm Just Associates, says that given the dramatic uptick in cybercriminal activities aimed at healthcare organizations, conducting comprehensive security risk analyses and making intrusion protection investments "should indeed be at the top of priority lists."
While the survey appears to show that timely risks assessments are becoming more common at healthcare organizations, "we still have a lot of organizations conducting their own risk assessments and in some cases following a checklist approach," says Mac McMillan, president of the security consultancy CynergisTek. "More mature industries use external professionals to do this work to ensure objectivity, to benefit from their knowledge and to assure due diligence in their assessments of this critical compliance responsibility."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, suggests that the HIMSS survey likely doesn't likely reflect what's happening at smaller entities. "The survey may be skewed toward larger and more sophisticated healthcare organizations, leading the report to be overly optimistic," she notes.
"While healthcare industry security has improved over the years, it is not where it needs to be. It's true that banking, for example, has had a longer history of security regulation, but HIPAA dates from the 1990s, and progress has been very slow over the past 20 years, particularly for small and midsize provider organizations. Add to that the newer risks associated with mobile devices, including patient wearables, use of the cloud, and other technology advances, and it's no wonder that healthcare is a big target for exploitation."