In November of 2018, CynergisTek collaborated with CHIME to examine the top healthcare cybersecurity challenges for CIOs with its survey, “Addressing the Security Gaps in Health IT.” Through most of October and part of November, CHIME polled more than 40 CIOs to address gaps around budget, training, and resources of cybersecurity programs. 50 percent of respondents were in larger hospitals with 500 or more beds, while 25 percent has 100-250 beds and a total of 39 percent had fewer than 250 beds.
66 percent expect a budget increase for next fiscal year.
The big question we all are anxious about is, “will the security budget increase?” The good news is that 66 percent of respondents believe that it will. According to nearly one quarter of respondents, they will see no increase. Unfortunately for another 10 percent, they appear to be waiting, fingers-crossed, but do not know what is going to happen with security funding for next fiscal year.
Security Risk Framework Findings
NIST is the most commonly used framework, with more than 48 percent of respondents using it, while ITIL is 15 percent and HITRUST is less than 11 percent. A few surprises here. First, for several years, the front runners have been NIST CSF and HITRUST, in that order. Also, recent, larger surveys including HIMSS Analytics in 2016, had much higher numbers for NIST. The biggest surprise in this survey is that ITIL is in the number two slot. Two points to note here. First, this was a notably small response from CHIME members and, second, neither ITIL nor HITRUST are actually risk-based frameworks for assessing privacy or security. ITIL is a best practice approach to aligning service levels with business needs – – useful in meeting SLAs around security but not really a security risk framework. The HITRUST Common Security Framework is a set prescriptive controls that seek to blend the requirements of multiple regulations and standards, including NIST CSF.
All Other Findings
- Just over 75 percent of respondents have less than 10 resources dedicated to security (inside and outside of IT), while just under 5 percent had more than 30 team members focused on security.
- Cybersecurity is typically the responsibility of the CIO (32 percent) and/or the CISO (22 percent). Roughly one quarter (26 percent) of respondents, said it falls under someone at the director or VP level within IT. Of some concern is the 17 percent of respondents who responded with “Other.” That ranged from an “Outsourced CISO” to “Sr. Manager – IT” to “SVP Chief Technology Risk Officer.” Just over two percent reported that the senior leader charged with cybersecurity was a Director of VP in another department.
- Most organizations have cybersecurity strategy for the organization and awareness for the end users as high priorities; however, improved training is needed for end users and security teams. We continually read and hear that training is needed and yet we don’t really see the training being stepped up. It will be interesting with increased funding next year to see who invests in training over more products, tools, or services.
- Over 10 percent of respondents reported that cybersecurity is never discussed at board meetings and 59 percent only do so when requested. Sadly, only five percent reported that security (plan, metrics, status, or incidents) are reported at each board meeting. One must wonder what boards would say if finance or patient safety and outcomes were never reported on? Leaving only 26 percent that said it was a topic at most or all board meetings.
- Addressing medical devices and IoT from a security perspective is well behind what it should be. Over one third of respondents are either still planning to address it or have not yet addressed medical device/IoT security. With one third each saying they are currently addressing the issue and the final third saying they are “beginning to address” medical device security.
- Most organizations said they have implemented basic security controls. Many reported using risk assessment to drive priorities and that they are complying with key mandates such as HIPAA and HITECH. Staying ahead of threats is still a challenge but most are comfortable with it. Most reported that business priorities drive security projects and strategy.
- We can’t do security alone! When asked about outsourcing versus using in-house resources, the majority of respondents said they use a mix of in-house and third parties for security.
To view the full results of the survey, please visit the survey issued by CHIME. If you need additional resources for your cybersecurity program, check out our professional services which includes virtual CISO, cybersecurity remediation project support, and strategic cybersecurity staffing.