Cybersecurity must be a hands-on boardroom concern, expert says
Providers must move cybersecurity out of IT and into the boardroom.
LAS VEGAS -- Despite signs that risk management in the healthcare space is maturing, dangerous cybersecurity gaps still loom and provider confidence in their own ability to stop an attack is flat, according to the third annual HIMSS Analytics and Symantec IT Security and Risk Management report, unveiled at the HIMSS18 global conference this week. In order to enable lasting and meaningful change, providers must move cybersecurity out of IT and into the boardroom, the study said.
The study examines IT and security executive perspectives, as well as IT administrators, physicians, and business professionals when it comes to IT security strategies. Findings were based on a web survey and in-depth interviews conducted in December.
The good news is that healthcare organizations are starting to implement practices that show a better understanding of cybersecurity. There are also establishing cybersecurity frameworks and making risk assessments more of a priority, with study results showing 60 percent of IT leaders now identify risk assessment as the number one driver of security investments, instead of HIPAA compliance and 94 percent rank it in the top three drivers. Also, 59 percent said "performance against risk frameworks" was a top KPI.
C-suite executives are also just starting to get more hands on with cybersecurity as well, the report said, with security reports either being provided on request, roughly 40 percent of respondents, or being presented regularly at meetings, approximately 27 percent. A little more than 14 percent proactively discuss new or existing risks.
"If a healthcare provider doesn't see itself as a target, that would indicate that it doesn't have a full understanding of what cybersecurity means in 2018," said Axel Wirth, a Distinguished Healthcare Architect for the HIMSS Privacy and Security Committee and a healthcare solutions architect for Symantec.
However, providers are not coming close to sufficiently investing in cybersecurity, still have doubts about the cloud and how to make it secure and are not adequately prioritizing security, even as their technology environments grow in complexity thanks to the use of medical devices.
Despite rampant and highly damaging cyberattacks in the healthcare industry recently, 45 percent of respondents said in 2017 only zero to three percent of their total IT budget was devoted to IT security.
For 28 percent of respondents, four to six percent of their 2018 IT budgets went to security. Only 7.7 percent said more than 10 percent was earmarked for infosec, results showed.
Confidence in fending off cyber criminals is also alarmingly low, with just six percent in 2017 saying they were "extremely confident" that their organization was prepared to fend off cyberattacks. Some of that may be due to limited resources and staffing shortages, the report showed, with 73 percent of respondents citing budget limits as a top three barrier, about 63 percent cited staffing shortfalls and a little more than 40 saying they can't find the right skill sets to do the work.
Whatever the challenges, Wirth said, IT security today is an entirely different animal than it was years ago. It's no longer a "point problem," but rather a systemwide concern since it can directly impact a provider's bottom line, care delivery and patient safety.
"The challenge of managing risk in today's complex healthcare environment is an onion problem.
You solve for one layer, and then you find there are more challenges below it," said Wirth. "That is why every aspect of a provider's approach to cybersecurity -- from keeping the board informed to adopting a framework, to budgeting for and managing risk -- must be conducted from a business
risk perspective."
Twitter: @BethJSanborn
Email the writer: beth.sanborn@himssmedia.com