Guest Column | February 16, 2017

Cybersecurity Confidence Does Not Always Match Reality

David Finn, Health IT Officer, Symantec

By David Finn, Health IT Officer, Symantec

Another year has come and gone and cybersecurity threats have grown more onerous than ever. According to our 2016 Internet Security Threat Report, the largest number of breaches in 2015 took place within the healthcare sector, accounting for 39 percent of all breaches and four million identities exposed. If 2017 follows suit, healthcare is in for a tumultuous year.

Healthcare data is extremely valuable to cybercriminals who attempt to breach networks to access data — ranging from medical and financial records to credit card transactions and Social Security numbers — and exploit it for financial gain. The rise of ransomware is particularly alarming as attackers can hold data hostage until the organization pays up or attempts to restore systems. Imagine the implications if, for example, data regarding a specific patient’s medication allergy wasn’t accessible in an emergency situation. In healthcare, ransomware doesn’t just affect business operations; it can impact lives.

Against this backdrop, a recent survey by HIMSS Analytics and Symantec of more than 100 hospital executives, IT professionals, and clinical leadership examines the state of healthcare IT security and risk management today.

Let’s start with the good news. While the majority of organizations still have five or fewer employees allocated to IT security, the numbers are starting to rise. Thirty-seven percent of respondents have more than five full-time employees allocated to security inside IT (up from 28 percent in 2015), and 18 percent have more than five full-time employees allocated to security outside IT (up from 12 percent in 2015).

In addition, two-thirds of respondents say their organization has a dedicated, full-time chief information security officer, who most often reports to the chief information officer, showing increased focus at the top of the IT organization.

However, while IT security budgets have increased since 2015, they still tend to be 6 percent or less of the overall IT budget and, despite increases to security staffs and budgets, organizations say they remain the biggest barriers to improving confidence in security programs.

We saw an interesting disconnect between the business and IT sides of healthcare. On average, clinical and business respondents report much higher confidence in their organization’s cyber-attack preparedness than their IT and security counterparts. But this confidence does not always match reality — more than half of surveyed organizations have been subjected to at least one external cyber-attack in the last 12 months. We suspect that number is actually much higher in reality, as many of those who said they were not attacked are likely not even aware they were. In addition, more than one-third of organizations are still only complying with key mandates or only implemented basic security controls.

As more than 45,000 attendees descend on Orlando next week to attend the annual HIMSS Conference, we encourage them to connect with their peers and meet with security solution providers to learn as much as they can about cybersecurity and how it should fit into their overall IT strategy. Here are four recommendations for healthcare providers seeking to boost their cybersecurity postures in these increasingly challenging times:

  • build a comprehensive risk management program leveraging the NIST Cybersecurity Framework
  • go beyond key mandates and basic security controls to protect infrastructures from targeted attacks and advanced threats, including ransomware
  • continue to invest in IT security resources like tools and staffing, and — if sensible — consider partnering with outside security experts for assistance
  • increase focus on end-user training, while protecting sensitive data and preventing unauthorized access to networks

The growth of data in the healthcare industry is only going to accelerate with the move to EHRs, the proliferation of medical devices connecting to the network, and the shift toward cloud computing. As the landscape continues to evolve, organizations must employ a holistic approach to using sound systems, security engineering techniques, and security design principles to make their systems less vulnerable, reduce damage caused by threats, and improve resilience against attacks.

About The Author
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital. He also served as the Privacy and Security Officer for Texas Children’s Hospital. Prior to that position, Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC, serving last as the EVP of Operations for Healthlink. Finn has more than 30 years’ experience in the planning, management, and control of information technology and business processes. He is focused on creating and maintaining trust in and value from information and information systems.