A lot of security surveys getting some ink recently. Dell recently published some fairly comprehensive results from a piece it put out just before HIMSS in February (but was widely reported about two months later). HIMSS itself is not about to be left out, as the organization also published its own annual report (also published in February), the HIMSS Analytics Healthcare Security Study sponsored by Level 3 Communications, and the results here are quite stark, too.
In it (shall we excavate?), more than three-quarters of those who took the time to respond to the HIMSS survey, said EHRs are the most reliant on network uptime at their organization. No surprise here; for the electronic health record to function it must be “up.”
What about security, culture and even priorities of those serving in America’s health IT leadership positions?
Here are some of the priorities: Remote access/secure access control is employed by more than 85 percent of respondent organizations, and internal security awareness programs are employed by nearly the same amount (84 percent) of respondent organizations. Next generation firewalls is the technique most likely to be employed at organizations within the next year, and cyber threat intelligence is the technique most likely to be employed at organizations within the next two years. Likewise, 78 percent of respondents identified employee security awareness/culture as the overall biggest concern in terms of security threat exposure, with nearly half of respondents ranking it as the top concern.
Also, slightly more respondents identified competing priorities than budget as an overall greater barrier to achieving a comprehensive security program, but 13 percent more respondents identified budget as the number one barrier. Finally, lack of leadership buy-in ranked last in overall rankings, and tied for last in number one rankings.
That said, most of the respondents have a “moderate level of concern towards a security breach occurring within a calendar year at their organization,” so the majority feel as though they are not concerned about and overt threat at present. So, too, then, more than half of those interviewed said their network provider is highly involved in the security strategy and investments at their organization, and an overwhelming three-quarters of these folks said that network providers should be highly involved with security strategy and investments at their organization – a fair thought, and an obvious observation.
The HIMSS Analytics survey gathered responses from 125 high-level IT security concerns for healthcare organizations who represented a variety of IT roles within the healthcare community, deriving from both ambulatory and non-ambulatory settings of multiple bed sizes.
Of note, internal security awareness is said to have been identified by nearly half of participants as a top concern, followed closely behind by exposure from partners or third-parties.
When asked about network providers’ involvement in regards to security strategy and investments at their organizations, over half of the respondents identified their network provider(s) as being highly involved, while 80 percent identified that network providers should be highly involved. Further findings indicated that respondents view organizational budget, and competing priorities as the top two hurdles to overcome in developing and/or maintaining a comprehensive security program at their organization.
Cyberattacks might come from outside an organization, but hospital executives are overwhelmingly concerned that employees are creating security vulnerabilities.
According to reporting by FierceHealthcare, the news organization points out that recent data breaches show that hospital executives have reason to worry about internal breach of information at the hand of employees: “Nearly 60 percent of breaches in the month of February were the result of insider threats. According to the most recent Protenus Breach Barometer Report, 44 percent of incidents in March were triggered by insiders.”
Additionally, further protections are often thwarted by lack of funding and the IT department’s standing within the organization. “Nearly 43 percent of respondents said budgets were the top barrier to broader security controls, while 30 percent said competing priorities were the number one issue,” the news site said.