The 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey provides insight into current cybersecurity programs in health care.
The HIMSS survey is based on feedback from 126 U.S. health information security professionals. The survey highlights some positive practices and some areas where most health care organizations could use improvement with their HIPAA compliance.
The survey reports that health care organizations with information security professionals on staff are working toward enhancing their cybersecurity programs. Approximately 71 percent were able to identify specific numbers in regard to budget allocation for their cybersecurity program with 60 percent claiming that 3 percent of their budget is marked for cybersecurity. About 8 percent stated that there is no current budget for cybersecurity.
Insider Threat Management
Approximately 75 percent of respondents stated that they have insider threat management, but about 35 percent said it’s informal.
Reminder: HIPAA compliance requires formal, documented policies and procedures for how your organization is managing threats.
Insider threats are often hard to detect. By not having a formal method for detecting these threats, a breach is more likely to happen.
Most of the respondents conduct a risk assessment annually (85 percent) and about 34 percent of those conduct one more often. This is primarily referring to the practices of larger organizations. Smaller health care entities likely won’t have the bandwidth to conduct one more frequently than every year.
Training and Awareness
About 87 percent of the respondents stated that security awareness training is provided to employees at least once a year, with 37 percent stating that they conduct training more frequently. Training is essential for HIPAA compliance. Protecting your health care organization from breaches starts with your team, so it’s important that you train employees on how to identify and handle potential cybersecurity threats.
Penetration Testing and Social Engineering
While penetration testing and social engineering are not specifically required for HIPAA compliance, NIST best practices suggest this should be conducted to reduce the risk of a breach. Penetration testing can be a little costly, so it’s more understandable that the larger organizations would conduct such testing (75 percent). If penetration testing is not financially feasible, a vulnerability scan would be a great purchase for any organization. If social engineering isn’t financially feasible, ensure that employees understand how it works, so that they are less likely to accidentally click dangerous links.
For this survey, many of the respondents were from acute care providers (50 percent) meaning that half of the people providing information work for larger organizations. There was little information specifically presented on the cybersecurity practices of smaller offices with one or two doctors.
To learn more about what you should be doing for HIPAA compliance as a smaller organization, sign up for HIPAAgps’ services today.