Despite regulatory mandates and years of costly data breaches in the healthcare industry, a recent survey found that less than one-third of healthcare organizations say they have a comprehensive cybersecurity program in place.
The 2018 CHIME HealthCare’s Most Wired survey found that only 29 percent of healthcare organizations have such a program in place. To make matters worse, 31 percent of those organizations that don’t have a program in place never meet with their executive committee or meet less than once a year.
For the survey, CHIME questioned 618 healthcare organizations.
The survey also found that healthcare organizations are getting away from building their own security programs from scratch and moving toward NIST and HITRUST frameworks. In addition to having a framework in place, CHIME determined that a comprehensive security program also includes having a dedicated senior security leader, an adequate security budget, governance and oversight committees, and regular meetings to determine and mitigate program gaps.
“Having a dedicated chief information security officer (CISO) and regularly reporting security updates to an executive committee are some of the first steps to mitigating cybersecurity vulnerabilities,” the report stated. “However, for most organizations, establishing these security foundations is still a work in progress. Only 29 percent of organizations report having a comprehensive security program in place,” The report stated.
“Healthcare organizations with a comprehensive security program are more likely to support critical security measures, such as data-loss prevention (12 percent higher adoption), bring-your-own-device management (13 percent higher adoption), database monitoring (13 percent higher adoption), provisioning systems (14 percent higher adoption), log management (16 percent higher adoption), and adaptive risk-based authentication for network access (16 percent higher adoption),” the report found.
The study also found that, while organizations are doing many of the basics, such as using passwords, firewalls, and having good device disposal polices in place healthcare organizations often lack other suggested practices such as mobile device management, unique user identifications or physical device locks, lack encryption for removable storage devices, and the encrypting of backups.
There was some good news. Most of the organizations surveyed do participate, many informally, in sharing cybersecurity information within a healthcare or cybersecurity group such as the Cyber Information Sharing and Collaboration Program, the National Cybersecurity and Communication Integration Center, or the Health Cybersecurity and Communication Integration Center.
Finally, while the majority of survey respondents believe they could recover their IT operations in the event of a disaster, the survey revealed there is much work to be done for many organizations. While sixty-eight percent believe that they could recover from the complete loss of their primary data center within 24 hours for their clinical, financial, supply chain management, and human resources and staffing systems. And almost all organizations have a data repository for backup, including off-site backups being used most frequently.
It’s good to see some cybersecurity progress in healthcare. As we’ve covered in When It Comes to Data Breaches, Healthcare Businesses Stand to Lose Most for eight healthcare organizations incurred the highest costs from data breaches, costing them an average $408 per lost or stolen record. Costs associated with data breaches in healthcare are nearly three times higher compared to other industries.
In Healthcare data breaches on the rise we covered how an analysis of healthcare data breaches for the first half of 2017 showed the healthcare industry to be on the path to suffer more than one data breach a day.
Highlights from that Breach barometer Report: Mid-Year Review, from patient privacy analytics monitoring provider Protenus and data breach tracking website databreaches.org showed that through June of last year there were 233 breaches reported to U.S. Health and Human Services (HHS), state attorneys general, or were reported in the media. Out of 193 of incidents in the report there was a total of 3,159,236 patient records exposed.
Hopefully, in the months and years ahead, healthcare will continue, if not increase, the investments necessary to reduce the number of breaches in that industry and make those breaches that do occur much less costly and impactful.