Security worries for health IT are increasingly being perceived as a huge enough threat to command the attention of top executives and boards of directors for healthcare agencies.
That is progress from merely a couple years ago, when securing patient healthcare information was seen as only a health IT problem, in accordance to the outcomes of a recent HIMSS Analytics study.
Cybersecurity budgets are increasing, the survey discovered. Now, 24% of respondents to the survey say their agencies spent from 7% to 10% of their health IT budgets on security in the year of 2016, compared with only 10% of respondents in the year of 2015.
Recent healthcare security events that made front-page news in 2017—specifically, hospitals or healthcare systems that were hit and crippled by ransomware—assisted to heighten fear of cyber attacks among top execs and board members, claims David Finn, health IT officer for Symantec, which commissioned the HIMSS Analytics study.
The logic that clinical care can grind to a halt due to a ransomware event, and also affect revenue streams as well, has raised awareness that such tragedies represent a business risk that requires an agency-wide response.
But that awareness is yet in an early stage, Finn claims. “Many healthcare agencies continue to view cybersecurity as a health IT problem, instead of as a business risk management problem,” he says.
HIMSS Analytics expanded the significance of the survey to involve clinical executive leaders, like chief medical information officers and chief medical officers, and those positions are increasingly forcing the security agenda forward in their organizations, Finn noted. Those leaders comprehend that cyber attacks ultimately could stop clinicians from providing care services to patients.
More healthcare agencies understand the need for a lead position to be designated for information security—the survey found that 67% of respondents said they have a dedicated chief information security officer role.
While that is a positive development, Finn points out that it means that a third of healthcare organizations have not designated anyone to take the lead on information security. Since federal security rules were passed in the year of 2005 requiring healthcare agencies to have someone in charge of security, that represents slow progress, he adds.
Staffing for IT security in healthcare agencies is growing, but inconsistently across healthcare organizations. There is been progress among staff roles designated to information security—for instance, 13% of respondents reported having 6 to ten employees dedicated to IT security, compared with 10% in 2015, and 11% of respondents said their organizations have 11 to 20 workers tasked with security.
Although, the majority of respondents have fewer than four staff dedicated to information security in the year of 2016, and a major number of organizations have only one person responsible for securing their organization’s networks, Finn says.
More budget and commitment is required, he notes. For instance, the survey discovered that 57% of clinicians responding to a survey on IT security recognized the significance of training and asked for more training in security.
“Healthcare agencies are missing an opportunity here,” Finn says. “When you’ve clinicians recommending that they want more training, they understand they’ll be the biggest losers if an attack occurs.”
Wednesday, February 22, 2017
Health IT security stature increases, in fits and starts, at healthcare agencies
Labels:
Data Security,
David Finn,
IT
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment