Five Ways to Improve Your Health Organization’s Cybersecurity

Healthcare’s approach to cybersecurity is maturing-but not fast enough, according to a new survey.

Respondents to the survey, from Symantec, revealed that cybersecurity is no longer considered solely an IT responsibility or compliance issue, with 94% of them identifying risk assessment as one of the top three drivers for security investments, compared to just 74% in 2016. In addition, C-suite executives are taking a more hands-on role in cybersecurity, with 80% of respondents reporting that cybersecurity is now a board meeting issue (about evenly split between 40% “ad hoc,” and 40% “proactively” or “standing”).

Together, Symantec and HIMSS Analytics surveyed 104 IT leaders and professionals to gather survey results. The collection period began November 1, 2017, and closed December 8, 2017. The companies also conducted 10 in-depth qualitative interviews to gain additional insight into key topic areas.

Wirth

“In summary, the survey shows that security risks are real and need to be addressed on all levels of the organization, from technical to the board, and all executive decision makers, including managed care executives,” says Axel Wirth, healthcare solutions architect, Symantec. “Despite the increased focus on cybersecurity in board meetings, healthcare organizations continue to underinvest in cybersecurity-even as cyberthreat activity amps up and gets more sophisticated.”

In fact, the survey showed that IT security spend has remained relatively flat over the last three years. Almost three-quarters of providers dedicate 6% or less of their IT budgets to security.

The cloud remains a concern for many healthcare providers, with 71% of survey respondents having multiple security concerns related to moving information/applications to the cloud, even though three of four providers are already using the cloud, according to the survey. And, organizations are not sufficiently prioritizing security that addresses the unique complexity and diversity of their medical device environment. Almost all (95%) respondents have multiple concerns regarding medical device security in their environments.

Other unique findings show a rise in organizations using formal risk frameworks with NIST CSF being the most commonly used one (63%).

“Survey respondents also surprisingly revealed that they are less confident in their organization’s ability to fend off attacks than they were the year before. Seventy-three percent of respondents identified ‘budget’ as the most significant barrier to improving their security programs, followed by ‘staffing’ and ‘skillsets’,” says Wirth.

According to Wirth, healthcare executives should take the following five recommendations into consideration to advance their risk management programs:

• Create a culture of cybersecurity through leadership, awareness, and increased training across the organization and as appropriate for the respective roles.

• Implement an integrated cyber defense platform and take a “defense in depth” approach, rather than deploying a collection of security point products and solutions.

• Assure a homogeneous security approach spanning from traditional endpoints and networks to mobile devices and cloud applications.

• Ensure all necessary stakeholders (IT, legal, PR and communications, clinical staff, executives, etc.) are involved in Incident Response planning and that incident response plans are practiced.

• Continue to engage the board on security strategy and enable security risk understanding from a business perspective.