In the wake of a record-breaking $16 million data breach settlement earlier this month that put insurers and provides alike on notice that ignoring cybersecurity risks could come with a hefty price tag, a new national survey of U.S. health systems finds that only 29 percent report having a comprehensive cybersecurity program in place.
“Due to a growing number of internal and external security threats, it has become increasingly more difficult for health care organizations to protect their sensitive information, including patients’ personal health information,” according to CHIME HealthCare’s Most Wired: National Trends 2018 report issued during the annual CHIME Fall CIO Forum in San Diego. Clearwater, a CHIME member and top-ranked health care cyber risk management solutions company, was a sponsor of the research for a second year.
Clearwater Chief Trust & Security Officer Richard Staynings said the findings from this year’s Most Wired research should be a wake-up call for health system leadership especially as health care becomes increasingly digital (the overall Internet of Medical Things, or IoMT, market is expected to grow from $41 billion in 2017 to $158 billion by 2022, Deloitte, July 2018).
“The question every board of directors and executive leadership team should be asking themselves is, have we done a sufficient risk analysis, and if not, why not?” said Staynings. “In our own analysis of the past 57 OCR settlements involving a breach of electronic protected health information, in 88 percent of the cases, the health care organization failed to do a sufficient risk analysis. That’s pretty mind boggling.”
The Anthem data breach, affecting nearly 79 million people, is the largest ever reported, and statistics show health care breaches are on the rise, with 277 breaches through the first nine months of 2018, compared with 271 during the same period the year before. Most breaches stemmed from hacking or “IT incidents,” according to the HHS Office of Civil Rights (OCR), which enforces Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Regulators also noted that Anthem failed to take several basic security steps, including conducting an enterprise-wide security risk assessment on all assets involved with PHI, including assets thought to be “out of scope.”
While Most Wired found most respondents have taken at least one step toward an incident-response plan (97 percent said they have a documented EHR-outage procedure, for example), only 29 percent reported having a comprehensive cybersecurity program in place, just 26 percent surveyed said they had adopted all 10 critical components of an incident response plan, while 43 percent had adopted 7-9 components, and 31 percent reported adoption of fewer than seven.
“Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” the CHIME report concluded.
The annual Most Wired survey is designed to identify and recognize health care organizations that exemplify best practices through their adoption, implementation and use of information technology. This is CHIME’s first year to oversee the Most Wired program since acquiring it from the American Hospital Association. Participation is open to all CIOs and qualified health organizations.