The 2017 HIMSS Cybersecurity Survey resulted in many positive findings about healthcare cybersecurity. Healthcare providers that contributed to our survey told us that healthcare cybersecurity is indeed a priority and that proactive measures, such as penetration testing, are taking place.
Here are five takeaways from the 2017 HIMSS Cybersecurity Survey.
1) Penetration testing is essential.
Penetration testing is often outsourced to third parties. Getting penetration testing done is not necessarily an inexpensive endeavor. Nonetheless, about 75% of our respondents are regularly conducting penetration testing. Penetration testing is a good way to test one’s cybersecurity defenses, incident response plans, awareness training, policies and procedures. Penetration test reports can hold significant value, as it will explain what gaps or deficiencies may exist and how to remedy them.
2) Cloud security concerns are top of mind.
Information security professionals at acute care providers are concerned about cloud security. Specifically, points of concern include ownership of data (53%), lack of cybersecurity (53%), insider threat (41%), lack of transparency (42%), and lack of geographical restrictions (44%). These concerns include questions such as the following: Where will my data be? Will my data go outside of the borders of the United States? Will I be able to get my data back once the contract is over? Who has access to my data at the cloud provider? While more healthcare providers may be turning to cloud solutions, there are a number of concerns that must be addressed.
3) Medical device security is a top concern.
Both acute care and non-acute care providers are concerned about medical device security. However, patient safety is at the top of the list as it pertains to acute providers, according to 32% of respondents at healthcare organizations with chief information security officers or other senior leaders. Many acute providers have life-sustaining or life-saving medical devices. Considering that many of these are Bluetooth-enabled connected devices, medical device security and patient safety are very much intertwined—so much so that a potential compromise on a medical device may lead to an adverse event.
4) Frequent testing for failure of technological resources.
Business continuity and disaster recovery have traditionally been weak points in healthcare cybersecurity. On a positive note, 59% percent of organizations with chief information security officers or other senior IT security leaders and 40% of organizations without such senior leaders are testing for failure of technology resources for business continuity and disaster recovery purposes. As our weather patterns get more extreme and as ransomware and denial of service attacks are on the rise, providers of all types are realizing that we need to be prepared.
5) Cybersecurity due diligence of technology products and services is frequently done.
Many healthcare organizations are aware that buying technology products or services off the shelf can be a dangerous proposition. Indeed, such products or services may be implanted with malware and/or they may have significant vulnerabilities off the shelf. Thus, an overwhelming 88% of healthcare organizations with chief information security officers or other IT security leaders and 57% percent of healthcare organizations without such leaders are ensuring that cybersecurity due diligence is done during the pre-acquisition stage – i.e., prior to the implementation of the technology product and/or service at the organization.
We are facing a new reality of a very challenging cyber threat landscape. However, the respondents who responded to our 2017 HIMSS Cybersecurity Survey are indicating that they are taking proactive steps to stay ahead of the threats. With concerns such as significant data breaches and potential harm to patients, it is no doubt that healthcare cybersecurity will continue to be a hot topic for the foreseeable future.
View the results of the 2017 HIMSS Cybersecurity Survey.