IT security stature grows, in fits and starts, at healthcare organizations
Security worries for health information technology are increasingly being perceived as a large enough threat to command the attention of top executives and boards of directors for healthcare organizations.
That’s progress from only a couple years ago, when protecting patient healthcare information was seen as only an IT issue, according to the results of a recent HIMSS Analytics study.
Cybersecurity budgets are growing, the survey found. Now, 24 percent of respondents to the survey say their organizations spent from 7 percent to 10 percent of their IT budgets on security in 2016, compared with only 10 percent of respondents in 2015.
Recent healthcare security events that made front-page news in 2017—particularly, hospitals or healthcare systems that were hit and crippled by ransomware—helped to heighten fear of cyber attacks among top execs and board members, says David Finn, health IT officer for Symantec, which commissioned the HIMSS Analytics study.
The fact that clinical care can grind to a halt because of a ransomware event, and also impact revenue streams as well, has raised awareness that such incidents represent a business risk that needs an organization-wide response.
But that awareness is still in an early stage, Finn says. “Many healthcare organizations continue to view cybersecurity as an information technology problem, rather than as a business risk management issue,” he says.
HIMSS Analytics expanded the scope of the survey to include clinical executive leaders, such as chief medical information officers and chief medical officers, and those roles are increasingly pushing the security agenda forward in their organizations, Finn noted. Those leaders understand that cyber attacks ultimately could prevent clinicians from providing care services to patients.
More healthcare organizations understand the need for a lead position to be designated for information security—the survey found that 67 percent of respondents said they have a dedicated chief information security officer role.
While that’s a positive development, Finn notes that it means that a third of healthcare organizations haven’t designated anyone to take the lead on information security. Since federal security rules were passed in 2005 requiring healthcare organizations to have someone in charge of security, that represents slow progress, he adds.
Staffing for IT security in healthcare organizations is growing, but inconsistently across healthcare organizations. There’s been growth among staff roles designated to information security—for example, 13 percent of respondents reported having six to 10 employees dedicated to IT security, compared with 10 percent in 2015, and 11 percent of respondents said their organizations have 11 to 20 employees tasked with security.
However, the majority of respondents have fewer than four staff dedicated to information security in 2016, and a significant number of organizations have only one person responsible for protecting their organization’s networks, Finn says.
More budget and commitment is needed, he notes. For example, the survey found that 57 percent of clinicians responding to a survey on IT security identified the importance of training and asked for more training in security.
“Healthcare organizations are missing an opportunity here,” Finn says. “When you have clinicians suggesting that they want more training, they understand they will be the biggest losers if an attack occurs.”