Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in September 2021.
Survey Response | Frequency | Percentage |
---|---|---|
Total sampling frame | 6,700 | 100% |
Total returns | 255 | 3.8% |
Rejected surveys | 36 | 0.5% |
Final sample | 219 | 3.3% |
Part 1. Screening questions
SQ1. How familiar are you with your organization’s efforts to reduce its cybersecurity risk? | Percentage |
---|---|
Very familiar | 40% |
Familiar | 38% |
Somewhat familiar | 22% |
Not familiar/No knowledge (stop) | 0% |
Total | 100% |
S2. What percentage of your organization is devoted to providing healthcare services to patients in the State of Michigan? | Percentage |
---|---|
Less than 5% (stop) | 0% |
5% to 25% (stop) | 0% |
26% to 50% (stop) | 0% |
51% to 75% | 32% |
76% to 100% | 68% |
Total | 100% |
S3. What percentage of your workweek is devoted to information security strategy or tactical planning and response? | Percentage |
---|---|
0% (stop) | 0% |
Less than 5% (stop) | 0% |
5% to 25% | 14% |
26% to 50% | 19% |
51% to 75% | 29% |
76% to 100% | 38% |
Total | 100% |
Extrapolated value | 61% |
Part 2. Environment: leadership, policies, and governance
Q1. What best describes the healthcare organization you work in? | Percentage |
---|---|
Hospital, public (non-VA, non-IHS) | 11% |
Hospital, private | 30% |
Health system, public (non-VA, non-IHS) | 15% |
Health system, private | 31% |
Veteran’s Administration facility(-ies) | 8% |
Indian Health Services facility(-ies) | 5% |
Total | 100% |
Q2. What best describes the organizational department or function in which you reside? | Percentage |
---|---|
Administration | 15% |
Information technology (IT) | 34% |
IT security | 15% |
Clinical services | 12% |
Management | 14% |
Compliance & audit | 8% |
Other (please specify) | 2% |
Total | 100% |
Q3. How many licensed beds are available within your hospital? | Percentage |
---|---|
None (ambulatory care) | 40% |
Less than 100 beds | 13% |
100 to 250 beds | 21% |
251 to 500 beds | 13% |
501 to 1,000 beds | 8% |
More than 1,000 beds | 5% |
Total | 100% |
Extrapolated value | 209 |
Q4. What security threats is your organization most concerned about? Please select the top four threats. | Percentage |
---|---|
Unsecure medical devices | 49% |
Cyber extortion (ransomware) | 43% |
Cyber attackers | 41% |
Phishing | 40% |
Third-party misuse of patient data | 39% |
Insecure mobile apps (eHealth) | 30% |
Use of public cloud services | 28% |
System failures | 26% |
Identity thieves | 23% |
Employee negligence or error | 21% |
Mobile device insecurity | 19% |
Malicious insiders | 14% |
Employee-owned mobile devices or BYOD | 12% |
Process failures | 12% |
Other (please specify) | 3% |
Total | 400% |
Q5. How will your organization’s investment in security technologies change in the next 12 months? | Percentage |
---|---|
Significantly increase | 30% |
Increase | 29% |
Stay the same | 25% |
Decrease | 11% |
Significantly decrease | 5% |
Don’t know | 0% |
Total | 100% |
Q6. How do you believe your organization’s dependency on third parties will change over the next three years? | Percentage |
---|---|
Significantly increase | 25% |
Increase | 33% |
Stay the same | 23% |
Decrease | 15% |
Significantly decrease | 4% |
Total | 100% |
Q7. Who is most accountable for ensuring cybersecurity risks are addressed in a timely manner? Please select only one top choice. | Percentage |
---|---|
CIO/CTO | 15% |
IT security leader (CISO) | 25% |
Security leader (CSO) | 9% |
Chief risk officer (CRO) | 7% |
Compliance/legal | 6% |
Business unit leader | 20% |
Operations leader | 8% |
No one role has overall accountability | 8% |
Other (please specify) | 0% |
Total | 98% |
Q8. Who is most accountable for ensuring compliance with privacy and security regulations? Please select only one top choice. | Percentage |
---|---|
CIO/CTO | 12% |
IT security leader (CISO) | 17% |
Security leader (CSO) | 5% |
Chief risk officer (CRO) | 9% |
Chief privacy officer (CPO) | 6% |
Compliance/legal | 20% |
Business unit leader | 16% |
Operations leader | 7% |
No one role has overall accountability | 8% |
Other (please specify) | 0% |
Total | 100% |
Q9. Who is most accountable for an enterprise-wide strategy for minimizing risks to your organization’s sensitive and confidential data? Please select only one top choice. | Percentage |
---|---|
CIO/CTO | 21% |
IT security leader (CISO) | 12% |
Security leader (CSO) | 3% |
Chief risk officer (CRO) | 13% |
Chief privacy officer (CPO) | 6% |
Compliance/legal | 12% |
Business unit leader | 15% |
Operations leader | 3% |
No one role has overall accountability | 14% |
Other (please specify) | 1% |
Total | 100% |
Q10. How often are your cybersecurity policies reviewed and adjusted as needed? | Percentage |
---|---|
Monthly | 7% |
Quarterly | 15% |
Bi-annually | 11% |
Annually | 19% |
No set time (e.g., ad hoc) | 22% |
Only when our organization has a cybersecurity incident | 24% |
Unsure | 2% |
Total | 100% |
Q11. Does your organization use any continuous monitoring product or service? | Percentage |
---|---|
Yes | 34% |
No | 60% |
Unsure | 6% |
Total | 100% |
Q12. Did the level of digital maturity affect the ability of your organization’s workforce to work remotely due to the pandemic? | Percentage |
---|---|
Yes | 50% |
No | 43% |
Unsure | 7% |
Total | 100% |
Q13. Does your organization have a comprehensive inventory of its critical applications and who has access to them? | Percentage |
---|---|
Yes | 34% |
No | 59% |
Unsure | 7% |
Total | 100% |
Q14. Does your organization have a comprehensive inventory of its hardware and/or software? | Percentage |
---|---|
Yes | 29% |
No | 71% |
Total | 100% |
Q15. How many network-connected devices do you think your organization has? | Percentage |
---|---|
Less than 1,000 | 8% |
1,000 to 10,000 | 9% |
10,001 to 20,000 | 20% |
20,001 to 50,000 | 26% |
50,001 to 100,000 | 21% |
100.001 to 200,000 | 9% |
200,000 | 7% |
Total | 100% |
Extrapolated value | 55,925 |
Part 3. Incident experience and response
Q16. What types of security incidents has your organization experienced in the past 12 months? Please check all that apply. | Percentage |
---|---|
Advanced persistent threats (APT) / targeted attacks | 37% |
Botnet attacks | 34% |
Clickjacking | 19% |
Denial of services (DoS) | 44% |
Exploit of existing software vulnerability greater than 3 months old | 31% |
Exploit of existing software vulnerability less than 3 months old | 29% |
Lost or stolen devices | 54% |
Ransomware | 42% |
Rootkits | 25% |
Spear phishing | 43% |
SQL injection | 21% |
Web-borne malware attacks | 23% |
Zero-day attacks | 19% |
Total | 421% |
Q17. How many successful cyberattacks has your organization experienced over the past 12 months? | Percentage |
---|---|
None | 19% |
1 to 5 | 21% |
6 to 10 | 20% |
11 to 25 | 15% |
26 to 50 | 11% |
51 to 100 | 8% |
More than 100 | 6% |
Total | 100% |
Extrapolated value | 22.24 |
Q18. How many data breaches has your organization experienced over the past 12 months? | Percentage |
---|---|
None (please skip to Q21) | 16% |
1 to 2 | 32% |
3 to 4 | 37% |
More than 5 | 15% |
Total | 100% |
Extrapolated value | 2.7 |
Q19. What percentage of these incidents were successfully mitigated? | Percentage |
---|---|
Less than 10% | 11% |
11% to 25% | 14% |
26% to 50% | 20% |
51% to 75% | 23% |
76% to 100% | 32% |
Total | 100% |
Extrapolated value | 53% |
Q20. Have any of these incidents involved the loss or exposure of patient information in the past 12 months? | Percentage |
---|---|
Yes | 64% |
No | 30% |
Unsure | 6% |
Total | 100% |
Q21a. Does your organization have a cybersecurity incident response plan? | Percentage |
---|---|
Yes | 63% |
No (please skip to Q22) | 30% |
Unsure (please skip to Q22) | 7% |
Total | 100% |
Q21b. If yes, how often does your organization exercise its incident response plan? | Percentage |
---|---|
Monthly | 11% |
Quarterly | 16% |
Bi-annually | 14% |
Annually | 23% |
No set time (e.g., ad hoc) | 20% |
Only when our organization has a cybersecurity incident | 16% |
Total | 100% |
Q21c. If yes, who is involved in the incident response program? Please check all that apply. | Percentage |
---|---|
Corporate counsel/compliance | 52% |
Human resources | 43% |
Information security | 65% |
Information technology | 54% |
Lines of business | 41% |
Privacy office | 6% |
Risk management | 39% |
Finance | 29% |
Internal audit | 21% |
Other (please specify) | 3% |
Total | 353% |
Part 4. Data loss prevention
Q22. Does your organization have an enterprise-wide data management strategy? | Percentage |
---|---|
Yes | 54% |
No (please skip to Q24) | 37% |
Unsure (please skip to Q24) | 9% |
Total | 100% |
Q23. Which of the following risks does your organization’s data management strategy address? Please select all that apply. | Percentage |
---|---|
Privileged user access management | 33% |
Third-party vendors | 54% |
Malicious insiders | 38% |
Negligent insiders | 40% |
Cyber criminals | 47% |
Unplanned downtime | 56% |
Data breaches | 39% |
Total | 307% |
Q24. What types of data is your organization most concerned about protecting? Please select all that apply | Percentage |
---|---|
Accounting and financial information | 17% |
Administrative and scheduling information | 23% |
Clinical trial and other research information | 15% |
Email content and attachments | 36% |
Employee information, including payroll data | 42% |
Login credentials | 54% |
Passwords and other authentication credentials | 62% |
Patient billing information | 49% |
Patient medical records | 80% |
Productivity applications | 40% |
Total | 418% |
Q25a. How would you rate your confidence that data loss prevention technologies and processes used in your organization have reduced the loss or leakage of sensitive information? Please use the 10-point scale provided below. | Percentage |
---|---|
1 or 2 | 21% |
3 or 4 | 29% |
5 or 6 | 14% |
7 or 8 | 20% |
9 or 10 | 16% |
Total | 100% |
Extrapolated value | 5.12 |
Q25b. If confident (7+ responses) why? Please select all that apply | Percentage |
---|---|
Sufficient budget (money) | 29% |
Sufficient staffing | 53% |
Effective technologies | 47% |
In-house expertise | 40% |
Clear leadership | 56% |
Understanding how to protect against cyberattacks | 41% |
Management sees cyberattacks as a significant risk | 39% |
Considered a top priority | 30% |
Other (please specify) | 3% |
Total | 338% |
Q26. Does your organization have mandatory cybersecurity training for its workforce? | Percentage |
---|---|
Yes | 48% |
No (please skip to Q31) | 52% |
Total | 100% |
Q27. Which function is most accountable for ensuring mandatory cybersecurity training is conducted by your organization? Please provide your top two choices. | Percentage |
---|---|
Corporate counsel/compliance | 35% |
Human resources | 31% |
Information security | 28% |
Information technology | 28% |
Lines of business | 42% |
Privacy office | 5% |
Risk management | 7% |
Finance | 6% |
Internal audit | 7% |
No one function is most accountable | 10% |
Total | 200% |
Q28. When are employees required to take cybersecurity training? Please select all that apply. | Percentage |
---|---|
Only upon joining the organization | 40% |
Every six months | 15% |
Once each year | 29% |
Only after the organization has a cybersecurity incident | 35% |
No set time (e.g., ad hoc) | 40% |
Only when the organization has a security incident | 32% |
Total | 191% |
Q29. Which of the following threats does your training program cover? Please select all that apply | Percentage |
---|---|
Credential theft | 45% |
Cyber attackers | 37% |
Cyber extortion (ransomware) | 38% |
Employee negligence or error | 35% |
Employee-owned mobile devices or BYOD | 16% |
Insecure mobile apps (eHealth) | 20% |
Malicious insiders | 27% |
Mobile device insecurity | 9% |
Phishing | 56% |
Risks created by geographically separated employees, including overseas locations | 12% |
Risks created by working remotely | 60% |
Third-party misuse of patient data | 40% |
Total | 395% |
Q30. Does your organization have cybersecurity training for its senior leaders such as tabletop or operational exercises? | Percentage |
---|---|
Yes | 39% |
No | 54% |
Unsure | 7% |
Total | 100% |
Please rate the following statements using the agreement scale: Strongly Agree and Agree combined | Percentage |
---|---|
Q31. Our organization’s senior leaders take a cross-functional approach to identifying gaps in security and vulnerabilities in order to understand, prioritize, mitigate and communicate risks that exist throughout the organization. | 41% |
Q32. Our organization’s senior leaders are involved in prioritizing cybersecurity threats, determining the organization’s willingness to accept a certain level of risk and identifying strategies to minimize risk. | 39% |
Q33. In our organization IT management and senior leaders work closely together to manage cybersecurity risks and to have an effective cybersecurity incident response plan in place. | 35% |
Q34. The need to improve when, where and how healthcare is delivered (e.g., telemedicine) is the key to a healthier population. | 62% |
Q35. There is an urgent need for artificial intelligence decision-making tools/technologies and interconnected devices that can seamlessly track patients’ status. | 58% |
Q36. Our senior leaders make compliance with such regulations as the HIPAA Security Rule, Joint Commission, and state privacy regulations a higher priority than improving the cybersecurity posture of our organization. | 34% |
Q37. Our organization is proactive in understanding third-party relationships, monitoring and overseeing vendors and updating and monitoring and enforcing contract terms. | 37% |
Q38. It is critical to have a comprehensive cybersecurity awareness training program that educates all technology users to recognize attack vectors and to reduce, prevent and to respond to cybersecurity incidents. | 47% |
Q39. Our organization has problems balancing the pursuit of digital innovations with the need to comply with regulations and reduce cybersecurity risks. | 59% |
Q40. Our senior leaders believe they can pursue opportunities to improve the customer/patient experience, develop new market opportunities and launch innovative business initiatives while concurrently strengthening the protection of sensitive data and IT assets. | 40% |
D1. How many years of relevant experience in the healthcare industry do you have? | Percentage |
---|---|
Less than 1 year | 0% |
1 to 5 years | 5% |
6 to 10 years | 16% |
11 to 15 years | 26% |
16 to 20 years | 30% |
More than 20 years | 23% |
Total | 100% |
Extrapolated value | 15.7 |