6 in 10 healthcare organizations have a dedicated cybersecurity executive, and it makes a big difference

Healthcare providers that have a dedicated information security executive are more likely to adopt a holistic approach to privacy and security that includes the use of a validated cybersecurity framework, reviewing new technology prior to purchase and testing systems for a potential attack.

Sixty percent of healthcare organizations have a senior executive that oversees cybersecurity, like a chief information security officer, according to a new survey released by the Healthcare Information and Management Systems Society (HIMSS), which included responses from 126 information security professionals at acute care hospitals, vendors, and payers as well as ambulatory clinics and physician practices.

RELATED: HHS task force spells out ‘urgent challenge’ of cybersecurity in healthcare

But the survey also showed stark differences in the cybersecurity program at organizations with a CISO compared to those without one. For example, 95% of respondents with a CISO said their organization uses the NIST Cybersecurity Framework, compared to just 30% among those without executive leadership. Additionally, 88% of organizations with a CISO conducted cybersecurity due diligence prior to purchasing new technology, compared to 57% of organizations without one.

The gaps are similar when it comes to staff education, with 82% of CISO-led organizations supporting staff training versus 57% of organizations without senior leadership. More than twice as many respondents with a CISO were concerned about patient safety related to medical device security.

RELATED: Healthcare data breaches haven’t slowed down in 2017, and insiders are mostly to blame

Analysts have expressed concern that not enough healthcare organizations have dedicated cybersecurity leadership, particularly at small- and medium-sized providers, and some have raised the idea of CISO sharing among multiple organizations. 

Broadly, the HIMSS survey showed that more providers are dedicating a portion of their budget to cybersecurity. Of the 90 respondents that said their organization reserved a specific amount of money for cybersecurity, 60% said that portion made up more than 3% of the organization’s overall budget.

A recent analysis shows healthcare executives are increasing cybersecurity budgets, but much of that is going to technology rather than staffing.

“This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement,” Rod Piechowski, senior director for health information systems at HIMSS, said in a release.