Risk Assessments/Management, Leadership, Vulnerability Management

40% of healthcare lack designated CISO

FRIMLEY, ENGLAND – MAY 22: Image released on May 27, Medics at work in an Intensive Care ward treating coronavirus patients at Frimley Park Hospital in Surrey to send to the parents as visiting hours are restricted because of COVID pandemic on May 22, 2020 in Frimley, United Kingdom. The hospital is part of the Frimley Health NHS Foundation T...

Forty percent of healthcare organizations still don’t have a dedicated chief information security officer, down 12% from last year, according to the College of Healthcare Information Management Executives (CHIME) Digital Health Most Wired Survey. 

Employing a designated CISO remains the least adopted core component across all provider types: Just 60% of acute and ambulatory care sites have a CISO and just 55% of  long-term/post-acute care facilities.

However, acute care organizations that participated in the Most Wired survey prior to 2021 were more likely to have a CISO than new survey participants, 63% versus 46%.

The annual CHIME survey represents an average of 2,200 U.S. acute care facilities, 33,829 ambulatory providers, and 449  LTPAC. The report is designed to evaluate just where healthcare needs the most support and to improve care delivery, while enhancing the patient experience.

The report addresses a number of core healthcare issues, from patient engagement to value-based care. For its security assessment, CHIME analyzed the surveyed providers on whether or not they’ve implemented core comprehensive components.

To be counted as having a comprehensive program, the care sites must have employed: security training and education, risk assessments to find compliance and vulnerability gaps, dedicated cybersecurity committee, quarterly progress reports, annual tabletop exercises, semi-annual board updates, dedicated security operations centers, and a CISO.

Using those elements, CHIME determined just 32% of healthcare organizations have a comprehensive security program, down 2% from the previous year and up 8% from 2019. And only 26% of LTPAC organizations meet the standard.

That means, the vast majority of healthcare cybersecurity programs are lacking key elements to effectively support the overall network.

“Under the new standard, security progress and security deficiencies must be reported quarterly (rather than the prior requirement of annual reporting), the board must be given a security update at least semi-annually (rather than annually), and organizations must have a dedicated security leader in the executive suite (a CISO rather than a director of security),” the report authors wrote.

There’s been a steady growth in adoption of individual components from 2020 to 2021. But the biggest gap, outside of failing to designate a CISO, is failure to establish a dedicated SOC: 78% of surveyed healthcare organizations have implemented this core component, up 4% from 2020 and 17% from 2019.

Notably, this area, while in need of improvement, has seen the largest adoption since 2019. Other elements on the lower end of the spectrum include: 81% give semi-annual updates to the board, 81% annually perform tabletops, and 82% formally document the risk management program to the board.

One key area in need of improvement, given that the majority of the largest healthcare data breaches in 2021 were caused by vendors, is the frequency in which the inventory of business associates are updated: Only 86% annually update the inventory of business associates.

The report also showed major growth in key areas, including a 15% increase in the number of organizations with a dedicated cybersecurity committee up to a solid 95% of entities. And although CHIME raised the bar on its comprehensive security program requirements, there was continued growth in security measure adoption across the boards.

Another 80% of acute and ambulatory care organizations and 82% of LTPAC said the pandemic did not hinder their ability to respond to or plan for cyber threats. However, the report authors stressed that means one out of five organizations still have increased vulnerabilities.

“Security measures that include people and processes, i.e., testing recovery plan, purple team exercises, social engineering risk assessment, continue to have the least adoption compared to technology-focused security measures,” according to the report.

CHIME added Purple Team exercises to the survey this year, “these are exercises where a blue team (defenders) and a red team (attackers) are brought together to simulate security threats.” As cybersecurity threats continue to rise across the sector, it’s increasingly critical for healthcare organizations to apply these exercises to their tabletop exercises and other proactive measures. 

“While annual Purple Team Exercises are the least-adopted measure across organization types, they can significantly improve an organization’s security posture,” the report authors added.

In addition, the report found that the measures with the most growth in adoption include “adaptive or risk-based authentication for network access, medical device security tools and next-generation endpoint protection systems.”

As for the technologies brought on to track COVID-19, few organizations were actually able to use contact tracing technology to trace the spread of the virus in the last year. It could lay to bed much of the security concerns raised by researchers who stressed these apps would introduce further risk to a highly targeted sector. Providers are instead relying on manual tracing via phone calls and spreadsheets (77%).

Despite being hammered by a pandemic for the last 18 months, provider organizations are continuing to prioritize security measures to combat ongoing threats. And as the number of CISOs remains a key failing for many organizations, it’s beyond time to consider some effective alternatives or to adopt a new hiring approach to attract cyber talent.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.