Cybersecurity for healthcare: Is Your Healthcare Organization Set to Meet the Demands of Cybersecurity?

If you don’t have a CISO, probably not.

Recent outbreaks of cyberattacks like WannaCry, Petya and NotPetya can do a significant amount of damage to healthcare companies, who have a wealth of rich sensitive private health information. The acceleration of these types of attacks has created a surge of activity among InfoSec leaders who are looking for ways to reassess their current security programs and implement practical long-term strategies.

The 2017 HIMMS Cybersecurity Survey, released August 9, 2017, surveyed 126 U.S. health information security professionals.  A significant finding was that 40% of healthcare organizations do not have a CISO or senior information security leader.  As with an organization, a ship without a captain faces significant challenges when navigating the very tricky waters surround cybersecurity. It requires full-time To give an example of how a lack of leadership can impact cybersecurity, the HIMMS Survey shows that 95% of Healthcare orgs with a CISO have adopted the NIST Cybersecurity Framework, widely recognized as a best practice for addressing security issues. Conversely, only 30% of organizations without a senior security leader have adopted it.  The survey details more discrepancies in other critical areas such as security education/training, cybersecurity assessments and business continuity planning.

The HIMSS report points to the following benefits of having a CISO or Information Security leader in Healthcare:

  • Provide deep knowledge and expertise in regard to achieving holistic information security in the healthcare environment
  • Shape an organization’s information security program with his or her in-depth knowledge about the threat landscape (including potential insider threat and cyber-attacks), methods and tools used for protecting information and IT assets, and analyzing and mitigating risks
  • Lead an organization’s information security program with holistic and business enabling perspectives
  • Drive organizational change throughout an organization and establish priorities in light of the vision, needs, and mission of an organization’s information security program
  • Create a “culture” of cybersecurity, including helping to promote cybersecurity literacy and awareness
  • Ensure that business and clinical operations, as well as workflow, are enabled (and not hampered by information security

The full report can be downloaded here:

For insights into how to implement NIST CSF, listen to a webinar hosted by Rsam CEO Vivek Shivananda.