Healthcare Security Study - Level 3 Communications

Healthcare Security Study February 14, 2017

Prepared For:

Enabling better health through information technology.

Presentation Outline  Research Purpose and Design  Research Methodology  Respondent Demographics  Research Findings and Results

3

Key Takeaways  Three-quarters of respondents say EHRs are the most reliant on network uptime at their organization  Every technique of security breach mitigation has over a 50% employment rate  

Remote access/secure access control is employed by over 87% of respondent organizations, and internal security awareness programs are employed by over 84% of respondent organizations Next generation firewall is the technique most likely to be employed at organizations within the next year, and cyber threat intelligence (CTI) is the technique most likely to be employed at organizations within the next two years

 78% of respondents identified employee security awareness/culture as the overall biggest concern in terms of security threat exposure, with nearly half of respondents ranking it as the top concern  Slightly more respondents identified competing priorities than budget as an overall greater barrier to achieving a comprehensive security program, but 13% more respondents identified budget as the number one barrier 

Lack of leadership buy-in ranked last in overall rankings, and tied for last in number one rankings

4

Key Takeaways  Respondents have a moderate level of concern towards a security breach occurring within a calendar year at their organization, with an average ranking of 4.8 out of 7  Over half of respondents reported their network provider is highly involved in the security strategy and investments at their organization  Over three-quarters of respondents indicate that network providers should be highly involved with security strategy and investments at their organization

5

Research Purpose and Design

To identify and understand high-level IT security concerns in the healthcare environment Through a web-based, voice-of-customer quantitative study with IT personnel at U.S. hospitals and healthcare systems

6

Research Methodology 

Target Market: U.S. Hospitals and Healthcare Systems, Ambulatory Groups and Facilities



Targeted: IT Leaders, C-Suite Executives, and IT professionals working amongst the healthcare environment 



Contacts via:

Recruitment:  Web study link open between January 17 and February 10, 2017

125

Respondents 7

Respondent Demographics

Patient Respondent Demographics

125 respondents

Work in or alongside the IT department at a healthcare provider organization

53%

87%

Organizations with 500+ beds

21%

C-suite level

Acute Inpatient Hospital/ Healthcare System

49%

Director or Manager of IT

13%

Ambulatory Organizations

30%

IT Security Officers or other IT positions 9

Respondent Demographics Respondent Titles (Grouped)

Respondent Titles Broken Down 4.0%

CCO

20.8%

C-suite

9.6%

CIO

3.2%

CISO

48.8%

Director/Manager of IT

CTO

4.0%

Clinical Informaticist

4.8% 19.2%

Director of IT

4.8%

IT Security Officer

29.6%

Manager of IT

IT Security Officers and other IT positions

30.4%

12.0%

Other IT positions

8.8%

Other (please specify): 0%

20%

N = 125

40%

60%

Other (please specify) Director IMS Department Chair Chief Supply Chain Officer Medical Director for HIT Director of Clinical Data Reporting EHS Director CMIO

0%

10%

20%

30%

40%

N = 125

10

Respondent Demographics Bed Size

Organization Type

Less than 50 beds

14.4%

Academic Medical Center

50-100 beds

4.8%

Corporate Offices of a Healthcare System

101-250 beds 10.4% 251-500 beds

24.8% 28.8%

Hospital that Is Part of a Delivery System

12.8%

Other Healthcare Organization (i.e. home healthcare, SNF, long-term care)

16.0% 9.6%

52.8%

Greater than 501 beds

17.6%

Stand Alone Hospital

4.8%

Other (please specify):

3.2%

Other (please specify): 0%

10%

20%

30%

40%

50%

60% 0.0%

N = 125

10.0%

20.0%

30.0%

40.0%

N = 125

11

Research Findings and Results

When thinking of your organization’s need for access to systems at all times (care critical especially), which applications most rely on network uptime? Please rank the importance of network uptime for each area 1 to 8 with 1 being the most important for network uptime and 8 being the least important for network uptime 100% 90%

2.4% 3.2%

11.2%

18.4% 36.0%

80% 37.6%

70%

40% 30%

45.6% 61.6%

44.8%

60% 50%

37.6%

94.4%

51.2%

24.8% 39.2%

87.2%

26.4% 28.0% 36.8%

36.0% 26.4%

20% 10%

24.0% 14.4%

0%

11.2%

1.6%

N = 125

High Importance (1-3)

Average Importance (4 - 5)

Low Importance (6 - 8)

13

The majority of organizations currently employ multiple practices to mitigate risk What practices or services do you have in place to protect your organization/mitigate breaches? Please select all that apply. 87.2%

Remote access/secure access controls

84.8%

Internal/employee security awareness program

Security consulting services (vulnerability assessment, penetration testing etc.)

75.2%

Next generation firewall (sandboxing, data loss prevention, application control etc.)

62.4%

56.0%

Distributed Denial of Service (DDoS) Mitigation

55.2%

Cyber Threat Intelligence (CTI)

0%

20%

40%

60% N = 125

80%

100% 14

Mitigation techniques employed per organization bed size What practices or services do you have in place to protect your organization/mitigate breaches? Please select all that apply. 86.4% 93.1% 83.3% 87.2% 87.9% 89.7% 70.8% 84.8% 78.8% 69.0% 75.0% 75.2% 72.7%

Remote access/secure access controls

Internal/employee security awareness program

Security consulting services (vulnerability assessment, penetration testing etc.)

51.7% 45.8% 62.4% 60.6% 55.2% 37.5% 56.0% 66.7% 44.8% 37.5% 55.2%

Next generation firewall (sandboxing, data loss prevention, application control etc.)

Distributed Denial of Service (DDoS) Mitigation

Cyber Threat Intelligence (CTI)

0%

20%

40%

60%

500+ (N = 66) 101-500 (N = 29)