How healthcare organizations are boosting security for IT systems
Keeping information safe is a topic that can truly cause insomnia, especially in the wake of WannaCry, Petya and other ransomware used in global cyber attacks. So where is the healthcare market in its effort to better secure information?
To find out, KLAS partnered with the College of Healthcare Information Management Executives (CHIME) to gauge the industry’s status and aspirations. The actions, planned and unplanned, of the nearly 200 organizations interviewed indicate significant movement toward a more secure environment for all types of healthcare information.
In general, healthcare organizations are putting many more resources toward information security. Areas garnering more support include leadership, program development, breach readiness and security-program funding.
More than 95 percent of organizations stated that there is an individual specifically designated to oversee their security program. These designees range in rank and authority from dedicated analysts to vice presidents and C-level leaders. Over 81 percent of providers leading security programs are director level or above. To ensure focused efforts to maintain a safe and secure data environment, the need for dedicated leadership is becoming the norm for most healthcare organizations.
As representatives and members of the community, provider organization boards care about secure information. Surveyed organizations stated that healthcare-information security is a board-level discussion regularly, with at least annual board discussions in 93 percent of cases; 62 percent of providers stated that they discuss security with their board at least quarterly. These results suggest that both interest in and support for effective security measures have grown. No doubt the increased number of very public information breaches has influenced the increased interest and support.
Given that resources are limited, knowing where you have information security vulnerabilities and the level of risk associated with those vulnerabilities is paramount. Just over three-quarters of those surveyed complete external risk assessments at least annually. These assessments are generally performed through a third-party firm and result in an internal plan for follow-up to address identified concerns. This level of detailed information is key to prioritizing efforts to better secure information.
Organizations with strong security planning in place, including risk assessments, also have a focused education program for healthcare information users. Highlighting the need for strong and regular education, one IT security leader shared this common challenge: “People are our weakness. We have begun phishing campaigns to get people to quit clicking on links in emails.” Perhaps a seemingly simple challenge to overcome, the tendency for users to click before they think is a real threat to confidential information everywhere. More evidence of the critical need for effective education for employees is represented in this comment: “The biggest exposure is the employees that actually have access to data. There is a small percentage of people who could misuse their access or have malicious intentions. But educating the workforce is probably the best thing we could do to ensure security procedures are being followed by our employees.”
Security frameworks are becoming more standard, with a significant majority of healthcare organizations choosing to follow the National Institute of Standards and Technology (NIST) framework for cybersecurity. In fact, 75 percent of those KLAS spoke with are following the NIST framework. After NIST, the most commonly mentioned framework was that of HITRUST. Several provider organizations indicated the use of more than one framework, suggesting a desire to cover the bases in creating a safe information-sharing environment.
Even the organizations with the best of security programs, with prevention as the focus, still stand a chance of being breached. That is why over two-thirds of organizations surveyed shared that they had created both a breach policy and a playbook, including the organization of a breach incident team. Nearly four in five organizations had cyber liability and breach insurance in place as a safeguard against the unenviable, yet potentially inevitable, exposure and abuse. While hoping such coverage will never be needed, a critical action for healthcare executives concerned about potential cybersecurity attacks is having a well-developed plan to deal with the impact of a breach.
To really understand, prepare for, and ultimately prevent information security threats, organizations must have effective, reliable detection systems with plans to respond to identified breaches.
The proliferation of tools to aid caregivers and other healthcare professionals in the delivery of care and the management of business processes is both a blessing and a curse. Keeping information secure, given myriad entry points for information, is a never-ending challenge for data stewards. Consider the effort needed to keep information entering and leaving an organization—via laptops, desktops, tablets, smartphones, flash drives, and so—safely within firewalls and out of the hands of those who would misuse and abuse. Necessary encryption, password protection, and other protective measures continue to challenge and, at times, frustrate end users, yet they remain critical to establishing a safe environment for the sharing of needed information for care.
As with most successful strategies, adequate funding is key to accomplishing cybersecurity initiatives. There is likely no right answer in terms of the amount of investment needed. But in terms of the current state of investment, the majority of provider organizations (68 percent of respondents) are spending less than 4 percent of their total IT budget on security; 14 percent are dedicating 5 percent to 6 percent of their budget; and 18 percent are committing around 7 percent. Security leaders recognize the challenge in balancing demands for resources. Yet they are quick to note the problems they are charged with; safe acquisition, storage and exchange of information requires investment.
While most security leaders feel that funding is moving in the right direction, there remains opportunity to bring system executives and security leaders together to understand and appropriately fund adequate offensive and defensive measures. The perspective of one security leader we spoke with represents the need for coming together: “The operational-security budget is way too small. It is always hard to convince executives to fund things that do not bring in immediate value. Security, disaster recovery, and backups don’t make sense; those are hard sales to make to leadership. Until an organization gets serious breaches often, the security team does not receive proper funding from the board.”
So, where do you start? Start with leadership. Make sure you have someone clearly designated to both create and execute an effective and evolving HIT security plan. Get your board involved; let them know you are serious about ensuring secure information and need their support in dedicating adequate resources to do so. Then, under the direction of your security leader, develop a comprehensive plan for creating a more secure environment for entrusted information. Perform risk assessments regularly, establish a training program, and follow a recommended and reputable security framework. Dedicate enough financial resources for both staffing and software to enable and ensure the development and execution of the plan. Prioritize and take care of the most critical needs first.
For more information on what CHIME and KLAS learned about provider experiences and strategies regarding cybersecurity, providers may access the 2017 cybersecurity report at no charge (registration required) at klasresearch.com.