Most Wired Cybersecurity Results Point to Gaps and Gains

12.6.2018
Candace Stuart – Director, Communications & Public Relations

Cyberattacks pose a significant safety risk to patients, whether that is through the theft of protected health information, a bad actor gaining access to a digitally connected medical device or disruption in care. Even in cases where no harm is done to patients, a successful breach can inflict significant pain on a hospital or healthcare organization. Loss of a community’s trust. Reputational damage. Potential audits. Lost income. Costly repairs and replacement of hardware and software. The list goes on.

The 2018 CHIME HealthCare’s Most Wired survey included several questions to assess a healthcare organization’s cyber hygiene. Just as washing hands can reduce the spread of germs, practicing good cyber hygiene can help protect a hospital or healthcare system from a cyberattack or lessen the damage if a breach occurs. Based on the results, the healthcare IT industry is making some progress.

For instance, one question that assessed the adoption of security frameworks suggested that hospitals and healthcare systems were moving from using self-developed to formal frameworks. The trend may reflect a shift from trying to merely meet baseline privacy and risk assessment standards set under the Health Insurance Portability and Accountability Act (HIPAA) to implementing a more rigorous and standardized framework, observed Theresa Meadows, co-chair of the U.S. Health and Human Services Healthcare Cybersecurity Task Force. In 2017, the task force released a landmark report to Congress that contained more than 100 recommendations, including guidance on healthcare-specific cybersecurity frameworks.

“The first step to any good security program is picking a framework to use so you can do a thorough assessment and know what your gaps are,” said Meadows, CIO at Cook Children’s Health Care System, a 2018 Most Wired recipient. “And then have an action plan in place to mitigate those gaps or accept the risks.”

Cyberattacks on the healthcare sector have risen drastically since 2009, according to the Institute of Critical Infrastructure Technology, and healthcare is now the top target for cyber criminals. They are becoming increasingly sophisticated, always looking for new ways to hack healthcare organizations.

“The security landscape is constantly changing,” Meadows said. “Doing ongoing risk assessment, communicating the risk and having a plan for this is the most important thing – and, of course, implementing some of your action plans.”

Here’s a look at best practices and their adoption, based on an analysis of the Most Wired survey data.

Most organizations are moving from self-developed security information frameworks to using one or more standardized options.

• National Institute of Standards and Technology (NIST): 78%
• Health Information Trust Alliance (HITRUST): 40%
• Information Technology Infrastructure Library (ITIL): 35%
• SysAdmin, Audit, Network and Security (SANS): 24%
• Self-developed: 19%
• Control Objectives for Information and Related Technologies (COBIT): 11%

These six core components are the foundation of a comprehensive security program. Only 29 percent reported having a complete program in place.

• Report deficiencies*: 95%
• Report progress*: 94%
• Dedicated CISO: 90%
• Governance committee: 79%
• Annual updates*: 76%
• Board-level oversight: 34%

*Reporting these findings to the board