If you don’t have a CISO, probably not.
Recent outbreaks of cyberattacks like WannaCry, Petya and NotPetya can do a significant amount of damage to healthcare companies, who have a wealth of rich sensitive private health information. The acceleration of these types of attacks has created a surge of activity among InfoSec leaders who are looking for ways to reassess their current security programs and implement practical long-term strategies.
The 2017 HIMMS Cybersecurity Survey, released August 9, 2017, surveyed 126 U.S. health information security professionals. A significant finding was that 40% of healthcare organizations do not have a CISO or senior information security leader. As with an organization, a ship without a captain faces significant challenges when navigating the very tricky waters surround cybersecurity. It requires full-time To give an example of how a lack of leadership can impact cybersecurity, the HIMMS Survey shows that 95% of Healthcare orgs with a CISO have adopted the NIST Cybersecurity Framework, widely recognized as a best practice for addressing security issues. Conversely, only 30% of organizations without a senior security leader have adopted it. The survey details more discrepancies in other critical areas such as security education/training, cybersecurity assessments and business continuity planning.
The HIMSS report points to the following benefits of having a CISO or Information Security leader in Healthcare:
- Provide deep knowledge and expertise in regard to achieving holistic information security in the healthcare environment
- Shape an organization’s information security program with his or her in-depth knowledge about the threat landscape (including potential insider threat and cyber-attacks), methods and tools used for protecting information and IT assets, and analyzing and mitigating risks
- Lead an organization’s information security program with holistic and business enabling perspectives
- Drive organizational change throughout an organization and establish priorities in light of the vision, needs, and mission of an organization’s information security program
- Create a “culture” of cybersecurity, including helping to promote cybersecurity literacy and awareness
- Ensure that business and clinical operations, as well as workflow, are enabled (and not hampered by information security
The full report can be downloaded here: http://www.himss.org/sites/himssorg/files/2017-HIMSS-Cybersecurity-Survey-Final-Report.pdf
For insights into how to implement NIST CSF, listen to a webinar hosted by Rsam CEO Vivek Shivananda.