Healthcare organizations continue to make headlines as the target of cyberattacks, ransomware threats, and the source of large data breaches. In fact, the healthcare industry now holds the unwelcome distinction of being the most cyberattacked industry, ahead of manufacturing, financial services, the government, and transportation.1
In spite of this, many in the industry continue to view cybersecurity as simply a HIPAA compliance issue. HIMSS Analytics recently conducted research that drove this point home. One hundred C-suite, business, IT, and clinical leaders participated in HIMSS Analytics’ recent survey, “Healthcare IT Security & Risk Management,” conducted on behalf of Symantec.
The survey data showed healthcare organizations are incrementally increasing governance, staffing, and budgetary resources dedicated to cybersecurity. However, “many healthcare organizations continue to view cybersecurity as an information technology (IT) problem, rather than as a business risk management issue,” said David Finn, health IT officer at
Symantec.
This narrow view of cybersecurity can blind an organization to the larger risks that cyberattacks pose. “Progressive healthcare organizations are starting to view cybersecurity as a patient safety and quality-of-care issue,” said Bob Chaput, chief executive officer of Clearwater Compliance.
“The HIMSS Analytics research showed that most organizations continue to treat cybersecurity on a tactical level and merely as a technical matter,” Chaput said. “There is a lot of ‘spot welding’ going on, as opposed to taking a more architectural approach and treating cybersecurity as an organization-wide risk management issue.” Finn and Chaput agree that healthcare organizations need to operationalize their cybersecurity strategies across the enterprise in order to defend themselves from increasing numbers and types of cybersecurity attacks.
Who owns cybersecurity in the organization?
The cybersecurity leadership structure offers a clue as to whether or not cybersecurity has been operationalized. A majority (67%) of the survey respondents indicated their organization had a dedicated/full-time chief information security officer (CISO).
It’s good news that two-thirds of survey respondents represent organizations that take cybersecurity seriously enough to allocate dedicated leadership. On the other hand, said Finn, “The fact that nearly one-third of respondents still don’t have a dedicated security officer—more than 10 years after the security rule for HIPAA went into effect—is not a good reflection on the industry.”
Although there is a need for CISOs in healthcare, the mere existence of a CISO is not enough. Reporting structure can impact the CISO’s effectiveness. Sixty-six percent of respondents indicated the senior security officer reports to the chief information officer (CIO), a setup with built-in conflicts. “The CIO’s job is to keep the business up and running. The security officer’s job is to make sure the business is secure; operations are therefore seondary to the CISO. If the CISO reports to the CIO, there are going to be conflicts. Organizations have to be aware of that and manage it,” said Finn.
Regardless of whether leadership rests with the CISO, the CIO, or another position, healthcare organizations understand that ownership for cybersecurity risk is shared across the institution. As one survey respondent, the CIO of a 500-plus bed facility, said, “People used to think cybersecurity was an IT issue. But now we are trying to cast cybersecurity in the same light we cast things like patient safety: everybody is responsible for this.”
Moving toward strategic preparedness for cyberattacks
Healthcare organizations are beginning to understand cybersecurity is more than just an IT problem. Cyberattacks threaten an organization’s reputation and brand; lead to financial consequences including fines, penalties, and settlements; put regulatory compliance at risk; and affect operations, even to the extent of impacting quality of care and patient safety.
“We need to think about information risk management as part of the organization’s overall enterprise risk management and governance/risk/compliance programs,” Chaput advised. “If organizations continue to ignore the strategic importance of information risk management, we are going to continue to see an upsurge in breaches, an increase in failed audits, and additional successful cyberattacks. Ultimately, these things are going to limit the ability of an organization to grow.”
That’s why it is so important to assess your risk before something bad happens. “If you can only do one thing, conduct a comprehensive risk analysis,” said Chaput. “If you do it properly, you’ll be going to the head of the class. Office for Civil Right (OCR) data shows over and over again that nine out of 10 organizations either audited or investigated by OCR are failing to do this very basic, fundamental requirement of any good cybersecurity program.”
The bigger picture, however, is that healthcare organizations must understand, “these are not just IT or security risks—they are business risks and have the potential to slow down, or shut down, patient care,” said Finn. “IT and security leaders cannot fix those problems, even from a cyber perspective, without the entire organization getting behind that initiative financially, staffing-wise, from a control perspective, and certainly not without training, education, and awareness for everyone.”
Reference
- Morgan, S., “Top 5 industries at risk of cyber-attacks,” Forbes, May 13, 2016, http://www.forbes.com/sites/stevemorgan/2016/05/13/list-of-the-5-most-cyber-attacked-industries/#55ef62753954
Source: Operationalizing Cybersecurity in Healthcare Organizations, 2017 IT Security & Risk Management Study, Symantec and HIMSS Analytics
