Author: Heather Landi / Source: Healthcare Informatics Online
A new healthcare cybersecurity report from HIMSS finds that healthcare organizations are taking steps to enhance their cybersecurity programs to a greater degree, and the findings also indicate that organizations that employ a CISO or other senior information security leader have adopted holistic cybersecurity practices.
The 2017 HIMSS Cybersecurity Survey provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises affecting the healthcare sector. The 2017 report focuses on the responses from 126 IT leaders who report having some responsibility for information security in a U.S.-based healthcare provider organization, such as a hospital or long-term care facility.
The majority of organizations measured (71 percent) allocate specific budget toward cybersecurity. Additionally, 80 percent of IT leaders measured indicated their organization employs dedicated cybersecurity staff.
“As it was last year, attackers continue to target the healthcare sector,” Rod Piechowski, senior director, health information systems, HIMSS, said in a statement. “Quality, stress-tested cybersecurity programs are imperative to protecting provider organizations and the patients they care for. This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”
Of those respondents who were able to identify the percent of their organization’s budget allocated for cybersecurity, 60 percent claim cybersecurity commanded 3 percent or more of the budget. The highest percentage of respondents (40 percent) reported only allocating 1 to 2 percent to cybersecurity, while 32 percent said 3 to 6 percent of the budget. Seventeen percent allocate 7 to 10 percent and 11 percent of respondents allocate more than 10 percent of their budget to cybersecurity.
However, 8 percent of respondents indicated that no funds have been allocated for cybersecurity.
The vast majority of organizations (80 percent) employ cybersecurity staff. Of those who could identify a cybersecurity staffing to IT users ratio, 53 percent reported a ratio of 1:500 or lower. The 1:500 ratio is significant because some researchers have found that a staff ratio of 1:500 is ideal for organizations that are information centric, have a considerable Internet exposure and a low risk appetite.
Over half of respondents (60 percent) indicate their organizations employ a senior information security leader, such as a Chief Information Security Officer (CISOs). Essentially, these respondents’ organizations have made the decision to dedicate an executive role in information security through this senior leader position, arguably making information security a business priority.
Three-quarters of respondents (75 percent) indicate that they have some type of insider threat management program at their organizations. While it is encouraging that so many respondents indicated that they have an insider threat management program, the report authors note that a formal insider threat management program may be more effective than an informal one.
The vast majority of respondents (85 percent) state that they conduct a risk assessment…
Click here to read more
