CHIME: Ransomware top concern for health IT, security execs

Ransomware and malware attacks rank as the top cybersecurity concerns for hospital IT and security executives who responded to a survey jointly unveiled Thursday by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

In particular, survey respondents (.pdf) indicate they worry most about data exposure, but said that poor authentication was the most common vulnerability. Malware and ransomware were listed as the most common exploits, by the 190 CHIME and AEHIS members who participated in the survey.

Most executives said that because security is not looked at as a patient care or quality of care issue, business strategy did not drive security strategy. Still, almost all respondents indicated that compared to last year, their organization was more prepared to handle an attack.

In terms of government understanding of cybersecurity issues in healthcare, the bulk of respondents (39 percent) said they have no confidence that federal legislators can offer meaningful help for information security initiatives; only about 6 percent of executives said they were “very confident.”

The results of the survey were shared this week with the Department of Health and Human Services Cybersecurity Task Force, according to a CHIME announcement. The task force, which consists of 21 individuals from across the healthcare industry, is charged with analyzing how several industries, including healthcare, address cybersecurity; it ultimately must present a report to Congress on its findings and recommendations.

Nearly 55 percent of respondents said they think the government should provide incentives for organizations to share information to encourage the exchange of cybersecurity information between entities. Fifty-one percent, meanwhile, believe the government should develop tools to help with the sharing of such information that vary depending on a provider’s size.

In a letter sent to the National Institute of Standards and Technology last month, CHIME and AEHIS said that healthcare entities should be “indoctrinated” into info sharing programs to ensure proper education on the threat landscape. They also called for increased guidance about current cybersecurity threats.