Why Health Care Providers Need a Dedicated Cybersecurity Team

New study shows progress, illuminates continued trouble spots

The results of this year’s HIMSS Cybersecurity Survey indicate health care provider organizations are taking greater than anticipated steps to enhance their cybersecurity programs. Key findings among the organizations surveyed include:

75 percent have some type of insider threat management program.
85 percent conduct a risk assessment at least once a year.
75 percent regularly conduct penetration testing.
60 percent employ a senior information security leader.
80 percent employ dedicated cybersecurity staff.
71 percent allocate specific budget toward cybersecurity.

Generally speaking, the numbers are encouraging. However, those last three stats reveal the following about health care provider organizations:

40 percent don’t employ a senior information security leader.
20 percent don’t have dedicated cybersecurity staff.
29 percent are not devoting specific budget to cybersecurity.

That’s troubling.

Now, it’s true many small to mid-sized providers do not have budgets to support a dedicated security / privacy specialist. In these cases, however, they must at least assign cybersecurity responsibilities to one or more current employees.

Health care provider organizations need staff members with assigned responsibilities dedicated to cybersecurity. Here’s why:

It leads to a more knowledgeable, confident staff and better culture. As technology use has exploded, many employees have been left to fend largely for themselves in a wilderness of new software and devices. One of the roles of a cybersecurity contact, or better yet team, is to train employees and send frequent reminders to them. This generates a more confident workforce. Employees know how to use the technology they need to do their jobs, as well as how to safeguard electronic protected health information (PHI) as they do. Having confident, informed employees will also lead to a better workplace culture.

It saves time and money. Data breaches cost organizations a lot in time and money – not to mention the loss in business and trust, and the many harms that could occur to patients. Ensuring there are dedicated cybersecurity professionals, or employees assigned this role and trained frequently, should be viewed as an investment that will prevent greater costs, to your organization, as well as to your patients, down the road.

Medical data is worth more than any other data (especially to fraudsters). It includes all basic and financial information – and a whole lot more. Unlike credit cards that can be cancelled, consumers’ names and their physical and medical characteristics cannot. Significant financial damage can hit associated patients when their information is used by fraudsters.

Medical devices are getting smarter. The greater the number of smart, wi-fi connected medical and health devices, the more information there is to protect. At least 25 percent of medical devices within hospitals and clinics are smart, meaning they’re connected to the Internet, either directly or indirectly through things like smartphones and networks. Incidents can occur from malicious outsider intent, malicious insider intent, mistakes and more.

There’s too much at stake. Lack of planning and integrating with networks and systems could shut down medical devices. There have been reports of medical devices used in operations, such as heart procedures, that shut down as a result of the attached network’s anti-virus software sensing it as a threat. There has even been a report of a nurse who shut down an anesthesia machine by attempting to charge a cell phone in the machine’s USB port.

Read the full HIMSS report.

Although it goes without saying, the biggest reason health care providers should have a dedicated cybersecurity team (or an individual clearly assigned cybersecurity responsibilities) is that it leads to better security for all forms of PHI, as well as for your patients. It also demonstrates due diligence for compliance that the regulators look for when doing audits. Knowing there are employees focused on data security will also help the organization’s leaders sleep better at night.