HIMSS dives deeper into focus areas for cyber security

6 September 2017
The recently published 2017 HIMSS Cybersecurity Survey resulted in many positive findings about healthcare cybersecurity. According to the survey, healthcare organizations are taking steps to enhance their cybersecurity programs to a greater degree than anticipated.

A majority of organizations measured (71 percent) allocate specific budget toward cybersecurity. Additionally, 80 percent of IT leaders measured indicated their organization now employs dedicated cybersecurity staff. The conclusions in the cyber security report are encouraging, HIMSS writes, because it shows that many organizations are making security programs a priority.

Healthcare responding to challenging threat landscape

Healthcare organizations are facing a new reality of a very challenging cyber threat landscape. However, the respondents who responded to the 2017 HIMSS Cybersecurity Survey are indicating that they are taking proactive steps to stay ahead of the threats. With concerns such as significant data breaches and potential harm to patients, it is no doubt that healthcare cybersecurity will continue to be a hot topic for the foreseeable future.

Diving deeper into the survey, HIMSS focusses on some key areas where security has been improved: the need for penetration testing; top of mind concerns regarding cloud security and medical device security; frequent failure testing and due dilligence of technological assets.

Penetration testing essential

Penetration testing is often outsourced to third parties. Getting penetration testing done is not necessarily an inexpensive endeavor. Nonetheless, about 75% of our respondents are regularly conducting penetration testing. Penetration testing is a good way to test one’s cybersecurity defenses, incident response plans, awareness training, policies and procedures. Penetration test reports can hold significant value, as it will explain what gaps or deficiencies may exist and how to remedy them.

Cloud security concerns top of mind

Information security professionals at acute care providers are concerned about cloud security. Specifically, points of concern include ownership of data (53%), lack of cybersecurity (53%), insider threat (41%), lack of transparency (42%), and lack of geographical restrictions (44%).

These concerns include questions such as: Where will my data be? Will my data go outside of the borders of the United States? Will I be able to get my data back once the contract is over? Who has access to my data at the cloud provider? While more healthcare providers may be turning to cloud solutions, there are a number of concerns that must be addressed.

Medical device security top concern

Both acute care and non-acute care providers are concerned about medical device security. However, patient safety is at the top of the list as it pertains to acute providers, according to 32% of respondents at healthcare organizations with chief information security officers or other senior leaders. Many acute providers have life-sustaining or life-saving medical devices. Considering that many of these are Bluetooth-enabled connected devices, medical device security and patient safety are very much intertwined—so much so that a potential compromise on a medical device may lead to an adverse event.

Frequent testing for failure of technological resources

Business continuity and disaster recovery have traditionally been weak points in healthcare cybersecurity. On a positive note, 59% percent of organizations with chief information security officers or other senior IT security leaders and 40% of organizations without such senior leaders are testing for failure of technology resources for business continuity and disaster recovery purposes. As our weather patterns get more extreme and as ransomware and denial of service attacks are on the rise, providers of all types are realizing that we need to be prepared.

Frequent cybersecurity due diligence of technology products and services

Many healthcare organizations are aware that buying technology products or services off the shelf can be a dangerous proposition. Indeed, such products or services may be implanted with malware and/or they may have significant vulnerabilities off the shelf.

Thus, an overwhelming 88% of healthcare organizations with chief information security officers or other IT security leaders and 57% percent of healthcare organizations without such leaders are ensuring that cybersecurity due diligence is done during the pre-acquisition stage – that is, prior to the implementation of the technology product and/or service at the organization.