From April through mid-May 2017, HIMSS North America commissioned a survey on the topic of healthcare cybersecurity. The HIMSS cybersecurity survey received feedback from 126 information security professionals from a variety of U.S. healthcare organizations. Survey participants consisted of healthcare CISOs and HIMSS cybersecurity community members.
The survey asked participants to share information about how their healthcare organizations are allocating money to cybersecurity efforts, what security frameworks are being used, thoughts on cloud security and more.
Here are the four most interesting findings from the HIMSS cybersecurity survey:
The majority of healthcare organizations are dedicating portions of their budgets towards cybersecurity, the survey found. Of the respondents, 71% said their healthcare organization was allocating a specific amount of their budget to cybersecurity.
The survey found that 40% of respondents are allocating 1% to 2%, 32% of respondents are allocating 3% to 6%, 17% of respondents are allocating 7% to 10%, and 11% of respondents are allocating more than 10%.
Essentially, about 60% of respondents are allocating 3% or more of their budget, while 7.9% of respondents said they are not allocating any of their budget to cybersecurity.
Security frameworks are being used widely among healthcare organizations, the HIMSS cybersecurity survey found. Of the respondents, 86% said their organization uses at least one or more security framework. Respondents could choose more than one in the survey.
The top security frameworks being used by healthcare organizations include:
NIST Cybersecurity Framework (62%)
Critical Security Controls (22%)
Furthermore, 12% of respondents said their healthcare organization is not using any security framework.
Medical device security
The survey asked respondents: What is your greatest concern about medical device security at your organization?
Respondents’ top concerns included:
Patient safety (32%)
Data breach (26%)
Spread of malware (20%)
Device loss or theft (4%)
Intellectual property theft (1%)
Liability concerns (3%)
Patient safety is the top concern among senior information security leaders because insecure medical devices have the potential to do real harm to a patient, the survey report said.
“A hacked insulin pump may deliver a fatal bolus of insulin to a patient. A ‘connected’ pacemaker may deliver a fatal shock to a patient,” the survey report said. “The technical know-how and skill set exists among cyber adversaries to compromise these devices. Unfortunately, it is a matter of ‘when’ and not ‘if.’ This is not a theoretical problem.”
Although some experts believe the time for cloud in healthcare is now, the survey found that healthcare security experts still have some trepidation about the technology.
The top four concerns the HIMSS cybersecurity survey found include:
Ownership of data: Healthcare security professionals are concerned about what happens to the organization’s PHI at the end of the contract or business relationship with the cloud provider.
Lack of cybersecurity: Due to reports of breaches and cyberattacks affecting cloud service providers, as well as the concerns around insider threats and lack of transparency, security professionals at acute care providers are hesitant to move to the cloud.
Insider threat: Whether intentional or unintentional.
Lack of transparency: Cloud service providers are sometimes perceived as not being very transparent about their cybersecurity practices and operations.