Feb 14, 2017 - ... maintaining a comprehensive security program at their organization. 25. Page 26. Thank you! HIMSS Ana
Healthcare Security Study February 14, 2017
Prepared For:
Enabling better health through information technology.
Presentation Outline Research Purpose and Design Research Methodology Respondent Demographics Research Findings and Results
3
Key Takeaways Three-quarters of respondents say EHRs are the most reliant on network uptime at their organization Every technique of security breach mitigation has over a 50% employment rate
Remote access/secure access control is employed by over 87% of respondent organizations, and internal security awareness programs are employed by over 84% of respondent organizations Next generation firewall is the technique most likely to be employed at organizations within the next year, and cyber threat intelligence (CTI) is the technique most likely to be employed at organizations within the next two years
78% of respondents identified employee security awareness/culture as the overall biggest concern in terms of security threat exposure, with nearly half of respondents ranking it as the top concern Slightly more respondents identified competing priorities than budget as an overall greater barrier to achieving a comprehensive security program, but 13% more respondents identified budget as the number one barrier
Lack of leadership buy-in ranked last in overall rankings, and tied for last in number one rankings
4
Key Takeaways Respondents have a moderate level of concern towards a security breach occurring within a calendar year at their organization, with an average ranking of 4.8 out of 7 Over half of respondents reported their network provider is highly involved in the security strategy and investments at their organization Over three-quarters of respondents indicate that network providers should be highly involved with security strategy and investments at their organization
5
Research Purpose and Design
To identify and understand high-level IT security concerns in the healthcare environment Through a web-based, voice-of-customer quantitative study with IT personnel at U.S. hospitals and healthcare systems
6
Research Methodology
Target Market: U.S. Hospitals and Healthcare Systems, Ambulatory Groups and Facilities
Targeted: IT Leaders, C-Suite Executives, and IT professionals working amongst the healthcare environment
Contacts via:
Recruitment: Web study link open between January 17 and February 10, 2017
125
Respondents 7
Respondent Demographics
Patient Respondent Demographics
125 respondents
Work in or alongside the IT department at a healthcare provider organization
53%
87%
Organizations with 500+ beds
21%
C-suite level
Acute Inpatient Hospital/ Healthcare System
49%
Director or Manager of IT
13%
Ambulatory Organizations
30%
IT Security Officers or other IT positions 9
Respondent Demographics Respondent Titles (Grouped)
Respondent Titles Broken Down 4.0%
CCO
20.8%
C-suite
9.6%
CIO
3.2%
CISO
48.8%
Director/Manager of IT
CTO
4.0%
Clinical Informaticist
4.8% 19.2%
Director of IT
4.8%
IT Security Officer
29.6%
Manager of IT
IT Security Officers and other IT positions
30.4%
12.0%
Other IT positions
8.8%
Other (please specify): 0%
20%
N = 125
40%
60%
Other (please specify) Director IMS Department Chair Chief Supply Chain Officer Medical Director for HIT Director of Clinical Data Reporting EHS Director CMIO
0%
10%
20%
30%
40%
N = 125
10
Respondent Demographics Bed Size
Organization Type
Less than 50 beds
14.4%
Academic Medical Center
50-100 beds
4.8%
Corporate Offices of a Healthcare System
101-250 beds 10.4% 251-500 beds
24.8% 28.8%
Hospital that Is Part of a Delivery System
12.8%
Other Healthcare Organization (i.e. home healthcare, SNF, long-term care)
16.0% 9.6%
52.8%
Greater than 501 beds
17.6%
Stand Alone Hospital
4.8%
Other (please specify):
3.2%
Other (please specify): 0%
10%
20%
30%
40%
50%
60% 0.0%
N = 125
10.0%
20.0%
30.0%
40.0%
N = 125
11
Research Findings and Results
When thinking of your organization’s need for access to systems at all times (care critical especially), which applications most rely on network uptime? Please rank the importance of network uptime for each area 1 to 8 with 1 being the most important for network uptime and 8 being the least important for network uptime 100% 90%
2.4% 3.2%
11.2%
18.4% 36.0%
80% 37.6%
70%
40% 30%
45.6% 61.6%
44.8%
60% 50%
37.6%
94.4%
51.2%
24.8% 39.2%
87.2%
26.4% 28.0% 36.8%
36.0% 26.4%
20% 10%
24.0% 14.4%
0%
11.2%
1.6%
N = 125
High Importance (1-3)
Average Importance (4 - 5)
Low Importance (6 - 8)
13
The majority of organizations currently employ multiple practices to mitigate risk What practices or services do you have in place to protect your organization/mitigate breaches? Please select all that apply. 87.2%
Remote access/secure access controls
84.8%
Internal/employee security awareness program
Security consulting services (vulnerability assessment, penetration testing etc.)
75.2%
Next generation firewall (sandboxing, data loss prevention, application control etc.)
62.4%
56.0%
Distributed Denial of Service (DDoS) Mitigation
55.2%
Cyber Threat Intelligence (CTI)
0%
20%
40%
60% N = 125
80%
100% 14
Mitigation techniques employed per organization bed size What practices or services do you have in place to protect your organization/mitigate breaches? Please select all that apply. 86.4% 93.1% 83.3% 87.2% 87.9% 89.7% 70.8% 84.8% 78.8% 69.0% 75.0% 75.2% 72.7%
Remote access/secure access controls
Internal/employee security awareness program
Security consulting services (vulnerability assessment, penetration testing etc.)
51.7% 45.8% 62.4% 60.6% 55.2% 37.5% 56.0% 66.7% 44.8% 37.5% 55.2%
Next generation firewall (sandboxing, data loss prevention, application control etc.)
Distributed Denial of Service (DDoS) Mitigation
Cyber Threat Intelligence (CTI)
0%
20%
40%
60%
500+ (N = 66) 101-500 (N = 29)