SlideShare a Scribd company logo

Addressing Cybersecurity Strategically

Symantec, profile picture
Symantec

Healthcare organizations face significant cybersecurity challenges due to inadequate data security planning and limited budgets, with a rising number of cyberattacks targeting electronic health records. The chief information security officers (CISOs) often struggle with authority and staffing, resulting in a reactive rather than proactive approach to data security. To mitigate risks, there is a pressing need for healthcare entities to adopt strategic cybersecurity practices, increase investment in data security, and foster collaboration between technology leaders.

Technology
1 of 4
Download to read offline
1
2
3
4
Healthcare organizations are awash with data. However, electronic health records (EHRs) and digital clinical systems in many healthcare organizations have been deployed without strategic data and IT infrastructure security planning. As a result, chief information security officers (CISOs) frequently have limited authority, sparse staffing and tight budgets. Data security spending in healthcare lags behind other top cybercrime targets such as financial services, according to new research by HIMSS Analytics on behalf of Symantec Corporation. All of this makes healthcare organizations rich targets for cybercriminals. Stolen patient data fetches up to 50 times more than a Social Security or credit card number,1 because a patient’s EHR contains data that can be used for medical or identity theft, or other fraud. As a result, criminal attacks on healthcare information systems have increased 125 percent in the past five years.2 “No doctor leaves his car unlocked at the hospital, but we’re pretty close to doing that with ePHI (electronic protected health information),” said David Finn, Symantec’s health IT officer. Each patient record should be treated as if it were an actual patient. “We would no more send patients to the wrong specialist or give them the wrong diagnosis, yet we leave computers unlocked and use unprotected jump drives,” he said. Adding more security products to an enterprise is not the solution. And managing data security with after-the-fact tactical responses instead of proactive strategies to prevent incidents contributes to the enormous financial consequences of each privacy breach. Banks and retailers face costs of about $215 and $165, respectively, for each lost or stolen record, while healthcare privacy breaches cost businesses as much as $398 per lost or stolen record.3 CISOs need to guide hospitals, including their leadership, on making the best business decisions given the realities of risk today, according to Finn. The HIMSS Analytics Healthcare IT Security and Risk Management Study of healthcare IT security leaders found: • Most organizations conduct IT security risk assessments only once a year; • Many security leaders have only occasional interactions with top-level leadership; • Medical-device security is only in the planning stages at many organizations. The survey polled 115 IT and security personnel responsible for data security in hospitals with more than 100 beds. Organization size ranged from standalone hospitals to integrated delivery networks. A subset was selected for in-depth interviews. “No doctor leaves his car unlocked at the hospital, but we’re pretty close to doing that with ePHI.” David Finn Health IT Officer Symantec Featuring industry research by Addressing Healthcare Cybersecurity Strategically
2 Struggling for resources Unlike industries such as insurance or banking that rely on personal data, few healthcare organizations allocate more than 6 percent of IT budgets to data security. Half of survey respondents (52 percent) said their organizations allocate between zero and 3 percent of IT budgets to IT security; 28 percent said budgets were between 3 percent and 6 percent (Figure 1). Staffing is another limitation. Among respondents, 72 percent have five or fewer IT employees allocated to data security, and only 10 percent have 21 or more. Even when employees outside of IT with data security responsibilities are included, the adjusted average total number of employees allocated is 10.4 “The lead challenge is talent and acquisition,” said one CISO. Competition for talent with other industries puts healthcare at a disadvantage, said another. “The rest of the cybersecurity world is retaining good talent,” he said. “The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” said Mac McMillan, chair of the HIMSS Privacy Security Policy Task Force and CEO of CynergisTek, Inc., an information security and privacy consulting firm. He agreed that recruiting and retaining data security professionals is one of the biggest challenges in healthcare. “We don’t have enough of them, and we don’t have enough who are qualified to do their job,” he said. Reporting structure and leadership challenges Organizational structure compounds underfunding and understaffing challenges. In most healthcare entities, CISOs report to the chief information officer (CIO), and in effect, police their bosses. More than 65 percent of data security officers are part of IT departments, and only about 20 percent are independent. Most (69 percent) report collaborative relationships between security and IT. Corporate leadership’s attention to data-security strategy is another factor. While 10 percent said data security is on every board of directors meeting agenda, 54 percent said regular schedules for board review don’t exist. Furthermore, 8 percent of respondents said that data security reports are “never” on board agendas (Figure 3). That structure stymies data security. “The technology belongs to IT, but the information belongs to the patient,” Finn said. By relegating data security to IT departments, healthcare leaders focus too much on preventing the next breach when they could instead implement better, more reliable systems that yield business advantages. Compliance is not assurance Respondents ranked the importance of a cybersecurity strategy for their organizations 4.23 on a 5-point scale. However, only 23 percent of respondents said they have ongoing, consistent risk-management programs, and 44 percent conduct risk 0-3% of budget 51.6% 4-6% of budget 28.6% 7-10% of budget 9.9% 10% of budget 9.9% “The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought.” Mac McMillan Chairman HIMSS Privacy Security Policy Task Force
3 assessments just once a year. Survey results also showed the National Institute of Standards and Technology (NIST) framework is the most common methodology (57 percent) used for HIPAA assessments. While frequency of these risk assessments and budgets remains low, the volume of threats keeps growing. CISOs surveyed expressed concerns about their ability to keep up with ever-changing efforts to hack into their networks. “We are dealing with a different threat profile… and a different level of sophistication from three or five years ago,” said one respondent. “That has been one of the key drivers of our increased investment in new technologies and employee awareness.” Adding to the challenge, respondents reported only mid-level agreement on the prioritization of data security measures, and the need for remediation and mitigation of incidents ranked higher than having a unified view of controls and vulnerabilities that might prevent incidents from happening. Medical devices are another concern. Because manufacturers traditionally have not put a focus on incorporating cybersecurity features in their devices, the growing network of connected devices emerges as an attractive cybercrime target.5 And healthcare organizations are not filling the gap: 50 percent of respondents are only planning and beginning to address medical-device security (Figure 2). The CISO’s evolving role Protecting data security requires CISOs to gain authority and resources, which can happen when they translate technical risks into business risks and data security plans into business opportunities. “We need to be able to present our findings and our risks in the same context (as other business units), so that when the board looks at our recommendations, they realize that this is something worth investing in,” said a CISO of a mid-size healthcare organization. McMillan said CISOs have to be strategic themselves to win support for long-term data security plans. “CISOs have to understand the business, know what the leaders are aiming to accomplish and put together a business plan for security that ties into those business goals,” he explained. This is an opportunity for CISOs is to be recognized for more than tactical responses and individual incidents. “We have seen a similar evolution of CIOs over the past 20 years,” said Finn. “They aren’t the ‘IT guy’ anymore.” Partnerships between CISOs and CIOs help make the business case, a respondent noted. “It is absolutely critical that the CISO and CIO work together to understand how technology is used, the strategy of technology in the organization and how technology is spread across the organization,” said the CISO of a large children’s hospital, adding that the CISO is “the partner to help (the CIO) do things in the least-risky manner.” “We are dealing with a different threat profile… and a different level of sophistication from three or five years ago.” Already addressing Beginning to address Planning to address Not addressing at this time
Produced by | www.himssmedia.com | © 2016 About Symantec: Symantec Corporation (NASDAQ: SYMC) is the global leader in cybersecurity. Operating one of the world’s largest cyber intelligence networks, we see more threats, and protect more customers from the next generation of attacks. We help companies, governments and individuals secure their most important data wherever it lives. 4 Continuous vigilance required Finn emphasized that organizations need to stop relying on annual HIPAA compliance risk assessments as measures of data security. “The measure should be: Are we making the best, rational decisions (business and clinical) given the risks we face? And that has to be asked every time there is a change in the system — people, process or technology.” McMillan said healthcare organizations should scan their external IT environment quarterly and internal environment twice a year, but periodic risk assessments are secondary to continuous monitoring of user IDs, firewall logs, software patches and other points where risks can be spotted. “Those active risk-management practices that go on day-in and day-out are the things that need to be solid, so that CISOs can stay ahead of threats,” he said. Once organizations deploy base security controls and comply with key mandates such as HIPAA and HITECH, they can let their risk assessments drive priorities and business priorities drive the security strategy. By developing a sustainable risk-management program, CIOs and CISOs can help their organizations shift their security mindset from tactical and reactive to strategic, robust and long term. That culture change is critical. “Healthcare is a very open, caring and trusting business,” which makes some people in healthcare organizations less receptive to addressing data security, said McMillan. “They don’t understand that you cannot have privacy without good data security,” he said. Finn concurred, adding, “Privacy and security have to be part of the system. You cannot do it after the fact. It’s never as effective and it costs more to do it that way.” 53.9% 20.9% 10.4% 7.8% 7.0% “It is absolutely critical that the CISO and CIO work together to understand how technology is used.”

More Related Content

PDF
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Cognizant
 
PDF
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
Capgemini
 
PDF
The Work Ahead in Insurance: Vying for Digital Supremacy
Cognizant
 
PDF
INFOGRAPHIC: Fixing the Insurance Industry - how big data can transform custo...
Capgemini
 
PDF
The True Meaning of AI: Action & Insight
Cognizant
 
PPTX
General Insurance Conference 2014: Big Data for Insurance Companies
Murphy Choy
 
PDF
The Work Ahead: Asia Drives Digital’s Future
Cognizant
 
PDF
Taking the Digital Pulse: Why Healthcare Providers Need an Urgent Digital Che...
Capgemini
 
Use AI to Build Member Loyalty as Medicare Eligibility Dates Draw Near
Cognizant
 
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
Capgemini
 
The Work Ahead in Insurance: Vying for Digital Supremacy
Cognizant
 
INFOGRAPHIC: Fixing the Insurance Industry - how big data can transform custo...
Capgemini
 
The True Meaning of AI: Action & Insight
Cognizant
 
General Insurance Conference 2014: Big Data for Insurance Companies
Murphy Choy
 
The Work Ahead: Asia Drives Digital’s Future
Cognizant
 
Taking the Digital Pulse: Why Healthcare Providers Need an Urgent Digital Che...
Capgemini
 

What's hot (20)

PDF
Big data analytics for life insurers
dipak sahoo
 
PDF
The Work Ahead for Healthcare Payers: Gaining a Foothold in the Digital Healt...
Cognizant
 
PDF
Modernizing Insurance Data to Drive Intelligent Decisions
Cognizant
 
PDF
Healthcare Technology Predictions 2016
Damo Consulting Inc.
 
PDF
Eiu collibra transforming data into action-the business outlook for data gove...
The Economist Media Businesses
 
PDF
2019 Healthcare IT Demand Survey
Damo Consulting Inc.
 
PDF
The witch report_2018_annual_review
Damo Consulting Inc.
 
PDF
The Work Ahead in Life Sciences: Cures at the Speed of Digital
Cognizant
 
PDF
Platforms for Growth: Technology Innovations in the Insurance Industry
State Street
 
PDF
PwC's Unlock data possibilities - infographic
PwC
 
PDF
Disruption: Data and Analytics Modernization in the COVID-19 Era
Cognizant
 
PDF
The Work Ahead: Europe’s Digital Ambition Scales
Cognizant
 
PPTX
North America Consumer Home Equity Loan Survey - Highlights
accenture
 
PDF
Fixing the Insurance Industry: How Big Data can Transform Customer Satisfaction
Capgemini
 
PDF
HEALTHCARE IT SERVICES MARKET: THE OUTLOOK FOR 2017
Damo Consulting Inc.
 
PDF
iHT2 Health IT Summit Boston 2013 – Scott Lundstrom, Group Vice President Pre...
Health IT Conference – iHT2
 
PDF
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
Cognizant
 
PDF
INFOGRAPHIC: Making #BigData Work
Capgemini
 
PDF
A Digital Way Forward for Australian SME Insurers
Cognizant
 
PDF
Smart Data Infographic
Booz Allen Hamilton
 
Big data analytics for life insurers
dipak sahoo
 
The Work Ahead for Healthcare Payers: Gaining a Foothold in the Digital Healt...
Cognizant
 
Modernizing Insurance Data to Drive Intelligent Decisions
Cognizant
 
Healthcare Technology Predictions 2016
Damo Consulting Inc.
 
Eiu collibra transforming data into action-the business outlook for data gove...
The Economist Media Businesses
 
2019 Healthcare IT Demand Survey
Damo Consulting Inc.
 
The witch report_2018_annual_review
Damo Consulting Inc.
 
The Work Ahead in Life Sciences: Cures at the Speed of Digital
Cognizant
 
Platforms for Growth: Technology Innovations in the Insurance Industry
State Street
 
PwC's Unlock data possibilities - infographic
PwC
 
Disruption: Data and Analytics Modernization in the COVID-19 Era
Cognizant
 
The Work Ahead: Europe’s Digital Ambition Scales
Cognizant
 
North America Consumer Home Equity Loan Survey - Highlights
accenture
 
Fixing the Insurance Industry: How Big Data can Transform Customer Satisfaction
Capgemini
 
HEALTHCARE IT SERVICES MARKET: THE OUTLOOK FOR 2017
Damo Consulting Inc.
 
iHT2 Health IT Summit Boston 2013 – Scott Lundstrom, Group Vice President Pre...
Health IT Conference – iHT2
 
The Work Ahead in Healthcare: Digital Delivers at the Frontlines of Care
Cognizant
 
INFOGRAPHIC: Making #BigData Work
Capgemini
 
A Digital Way Forward for Australian SME Insurers
Cognizant
 
Smart Data Infographic
Booz Allen Hamilton
 
Ad

Similar to Addressing Cybersecurity Strategically (20)

PDF
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
PDF
arcsight_scmag_hcspecial
Paul Brian Contino
 
PDF
Étude mondiale d'EY sur la cybersécurité (2018)
Paperjam_redaction
 
PDF
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
PDF
eHI privacy and security DC roundtable_April 2014
Barbara Gabriel
 
PDF
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
PDF
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
PDF
We Need to Prioritize Cybersecurity in 2020
Matthew Doyle
 
PDF
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
FERMA
 
PDF
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
 
PDF
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Melloney Jewell
 
PDF
Research Report Health Informatics 05-2016_FINAL
Benjamin Wyrick
 
DOCX
Systems Thinking on a National Level, Part 2Drew David.docx
perryk1
 
PDF
Cybersecurity report-vol-8
Mohamed Abdelhakim
 
PDF
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
The Lifesciences Magazine
 
PPT
Accounting
jerryrabin
 
PDF
2016 Scalar Security Study Executive Summary
patmisasi
 
PDF
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
PDF
Information Security - Hiring Trends and Trends for the Future PDF
Alexander Goodwin
 
PPTX
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Sri Bharadwaj
 
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
arcsight_scmag_hcspecial
Paul Brian Contino
 
Étude mondiale d'EY sur la cybersécurité (2018)
Paperjam_redaction
 
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
eHI privacy and security DC roundtable_April 2014
Barbara Gabriel
 
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
We Need to Prioritize Cybersecurity in 2020
Matthew Doyle
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
FERMA
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Melloney Jewell
 
Research Report Health Informatics 05-2016_FINAL
Benjamin Wyrick
 
Systems Thinking on a National Level, Part 2Drew David.docx
perryk1
 
Cybersecurity report-vol-8
Mohamed Abdelhakim
 
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
The Lifesciences Magazine
 
Accounting
jerryrabin
 
2016 Scalar Security Study Executive Summary
patmisasi
 
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
Information Security - Hiring Trends and Trends for the Future PDF
Alexander Goodwin
 
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Sri Bharadwaj
 
Ad

More from Symantec (20)

PDF
Symantec Enterprise Security Products are now part of Broadcom
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec
 
PDF
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec
 
PDF
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
PDF
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
PDF
Symantec Mobile Security Webinar
Symantec
 
PDF
Symantec Webinar Cloud Security Threat Report
Symantec
 
PDF
Symantec Cloud Security Threat Report
Symantec
 
PDF
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
PDF
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
PDF
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
PDF
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
PDF
Symantec Webinar: GDPR 1 Year On
Symantec
 
PDF
Symantec ISTR 24 Webcast 2019
Symantec
 
PDF
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
PDF
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
PDF
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
PDF
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec
 
Symantec Enterprise Security Products are now part of Broadcom
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Symantec Mobile Security Webinar
Symantec
 
Symantec Webinar Cloud Security Threat Report
Symantec
 
Symantec Cloud Security Threat Report
Symantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec
 
Symantec ISTR 24 Webcast 2019
Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Cloud computing and distributed systems.
kkkkkhan
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation theory and applications.pdf
gurumoop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Addressing Cybersecurity Strategically

  • 1. Healthcare organizations are awash with data. However, electronic health records (EHRs) and digital clinical systems in many healthcare organizations have been deployed without strategic data and IT infrastructure security planning. As a result, chief information security officers (CISOs) frequently have limited authority, sparse staffing and tight budgets. Data security spending in healthcare lags behind other top cybercrime targets such as financial services, according to new research by HIMSS Analytics on behalf of Symantec Corporation. All of this makes healthcare organizations rich targets for cybercriminals. Stolen patient data fetches up to 50 times more than a Social Security or credit card number,1 because a patient’s EHR contains data that can be used for medical or identity theft, or other fraud. As a result, criminal attacks on healthcare information systems have increased 125 percent in the past five years.2 “No doctor leaves his car unlocked at the hospital, but we’re pretty close to doing that with ePHI (electronic protected health information),” said David Finn, Symantec’s health IT officer. Each patient record should be treated as if it were an actual patient. “We would no more send patients to the wrong specialist or give them the wrong diagnosis, yet we leave computers unlocked and use unprotected jump drives,” he said. Adding more security products to an enterprise is not the solution. And managing data security with after-the-fact tactical responses instead of proactive strategies to prevent incidents contributes to the enormous financial consequences of each privacy breach. Banks and retailers face costs of about $215 and $165, respectively, for each lost or stolen record, while healthcare privacy breaches cost businesses as much as $398 per lost or stolen record.3 CISOs need to guide hospitals, including their leadership, on making the best business decisions given the realities of risk today, according to Finn. The HIMSS Analytics Healthcare IT Security and Risk Management Study of healthcare IT security leaders found: • Most organizations conduct IT security risk assessments only once a year; • Many security leaders have only occasional interactions with top-level leadership; • Medical-device security is only in the planning stages at many organizations. The survey polled 115 IT and security personnel responsible for data security in hospitals with more than 100 beds. Organization size ranged from standalone hospitals to integrated delivery networks. A subset was selected for in-depth interviews. “No doctor leaves his car unlocked at the hospital, but we’re pretty close to doing that with ePHI.” David Finn Health IT Officer Symantec Featuring industry research by Addressing Healthcare Cybersecurity Strategically
  • 2. 2 Struggling for resources Unlike industries such as insurance or banking that rely on personal data, few healthcare organizations allocate more than 6 percent of IT budgets to data security. Half of survey respondents (52 percent) said their organizations allocate between zero and 3 percent of IT budgets to IT security; 28 percent said budgets were between 3 percent and 6 percent (Figure 1). Staffing is another limitation. Among respondents, 72 percent have five or fewer IT employees allocated to data security, and only 10 percent have 21 or more. Even when employees outside of IT with data security responsibilities are included, the adjusted average total number of employees allocated is 10.4 “The lead challenge is talent and acquisition,” said one CISO. Competition for talent with other industries puts healthcare at a disadvantage, said another. “The rest of the cybersecurity world is retaining good talent,” he said. “The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” said Mac McMillan, chair of the HIMSS Privacy Security Policy Task Force and CEO of CynergisTek, Inc., an information security and privacy consulting firm. He agreed that recruiting and retaining data security professionals is one of the biggest challenges in healthcare. “We don’t have enough of them, and we don’t have enough who are qualified to do their job,” he said. Reporting structure and leadership challenges Organizational structure compounds underfunding and understaffing challenges. In most healthcare entities, CISOs report to the chief information officer (CIO), and in effect, police their bosses. More than 65 percent of data security officers are part of IT departments, and only about 20 percent are independent. Most (69 percent) report collaborative relationships between security and IT. Corporate leadership’s attention to data-security strategy is another factor. While 10 percent said data security is on every board of directors meeting agenda, 54 percent said regular schedules for board review don’t exist. Furthermore, 8 percent of respondents said that data security reports are “never” on board agendas (Figure 3). That structure stymies data security. “The technology belongs to IT, but the information belongs to the patient,” Finn said. By relegating data security to IT departments, healthcare leaders focus too much on preventing the next breach when they could instead implement better, more reliable systems that yield business advantages. Compliance is not assurance Respondents ranked the importance of a cybersecurity strategy for their organizations 4.23 on a 5-point scale. However, only 23 percent of respondents said they have ongoing, consistent risk-management programs, and 44 percent conduct risk 0-3% of budget 51.6% 4-6% of budget 28.6% 7-10% of budget 9.9% 10% of budget 9.9% “The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought.” Mac McMillan Chairman HIMSS Privacy Security Policy Task Force
  • 3. 3 assessments just once a year. Survey results also showed the National Institute of Standards and Technology (NIST) framework is the most common methodology (57 percent) used for HIPAA assessments. While frequency of these risk assessments and budgets remains low, the volume of threats keeps growing. CISOs surveyed expressed concerns about their ability to keep up with ever-changing efforts to hack into their networks. “We are dealing with a different threat profile… and a different level of sophistication from three or five years ago,” said one respondent. “That has been one of the key drivers of our increased investment in new technologies and employee awareness.” Adding to the challenge, respondents reported only mid-level agreement on the prioritization of data security measures, and the need for remediation and mitigation of incidents ranked higher than having a unified view of controls and vulnerabilities that might prevent incidents from happening. Medical devices are another concern. Because manufacturers traditionally have not put a focus on incorporating cybersecurity features in their devices, the growing network of connected devices emerges as an attractive cybercrime target.5 And healthcare organizations are not filling the gap: 50 percent of respondents are only planning and beginning to address medical-device security (Figure 2). The CISO’s evolving role Protecting data security requires CISOs to gain authority and resources, which can happen when they translate technical risks into business risks and data security plans into business opportunities. “We need to be able to present our findings and our risks in the same context (as other business units), so that when the board looks at our recommendations, they realize that this is something worth investing in,” said a CISO of a mid-size healthcare organization. McMillan said CISOs have to be strategic themselves to win support for long-term data security plans. “CISOs have to understand the business, know what the leaders are aiming to accomplish and put together a business plan for security that ties into those business goals,” he explained. This is an opportunity for CISOs is to be recognized for more than tactical responses and individual incidents. “We have seen a similar evolution of CIOs over the past 20 years,” said Finn. “They aren’t the ‘IT guy’ anymore.” Partnerships between CISOs and CIOs help make the business case, a respondent noted. “It is absolutely critical that the CISO and CIO work together to understand how technology is used, the strategy of technology in the organization and how technology is spread across the organization,” said the CISO of a large children’s hospital, adding that the CISO is “the partner to help (the CIO) do things in the least-risky manner.” “We are dealing with a different threat profile… and a different level of sophistication from three or five years ago.” Already addressing Beginning to address Planning to address Not addressing at this time
  • 4. Produced by | www.himssmedia.com | © 2016 About Symantec: Symantec Corporation (NASDAQ: SYMC) is the global leader in cybersecurity. Operating one of the world’s largest cyber intelligence networks, we see more threats, and protect more customers from the next generation of attacks. We help companies, governments and individuals secure their most important data wherever it lives. 4 Continuous vigilance required Finn emphasized that organizations need to stop relying on annual HIPAA compliance risk assessments as measures of data security. “The measure should be: Are we making the best, rational decisions (business and clinical) given the risks we face? And that has to be asked every time there is a change in the system — people, process or technology.” McMillan said healthcare organizations should scan their external IT environment quarterly and internal environment twice a year, but periodic risk assessments are secondary to continuous monitoring of user IDs, firewall logs, software patches and other points where risks can be spotted. “Those active risk-management practices that go on day-in and day-out are the things that need to be solid, so that CISOs can stay ahead of threats,” he said. Once organizations deploy base security controls and comply with key mandates such as HIPAA and HITECH, they can let their risk assessments drive priorities and business priorities drive the security strategy. By developing a sustainable risk-management program, CIOs and CISOs can help their organizations shift their security mindset from tactical and reactive to strategic, robust and long term. That culture change is critical. “Healthcare is a very open, caring and trusting business,” which makes some people in healthcare organizations less receptive to addressing data security, said McMillan. “They don’t understand that you cannot have privacy without good data security,” he said. Finn concurred, adding, “Privacy and security have to be part of the system. You cannot do it after the fact. It’s never as effective and it costs more to do it that way.” 53.9% 20.9% 10.4% 7.8% 7.0% “It is absolutely critical that the CISO and CIO work together to understand how technology is used.”