Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in September 2021.

Survey Response
Frequency
Percentage
Total sampling frame
6,700
100%
Total returns
255
3.8%
Rejected surveys
36
0.5%
Final sample
219
3.3%

Part 1. Screening questions

SQ1. How familiar are you with your organization’s efforts to reduce its cybersecurity risk?
Percentage
Very familiar
40%
Familiar
38%
Somewhat familiar
22%
Not familiar/No knowledge (stop)
0%
Total
100%
S2. What percentage of your organization is devoted to providing healthcare services to patients in the State of Michigan?
Percentage
Less than 5% (stop)
0%
5% to 25% (stop)
0%
26% to 50% (stop)
0%
51% to 75%
32%
76% to 100%
68%
Total
100%
S3. What percentage of your workweek is devoted to information security strategy or tactical planning and response?
Percentage
0% (stop)
0%
Less than 5% (stop)
0%
5% to 25%
14%
26% to 50%
19%
51% to 75%
29%
76% to 100%
38%
Total
100%
Extrapolated value
61%

Part 2. Environment: leadership, policies, and governance

Q1. What best describes the healthcare organization you work in?
Percentage
Hospital, public (non-VA, non-IHS)
11%
Hospital, private
30%
Health system, public (non-VA, non-IHS)
15%
Health system, private
31%
Veteran’s Administration facility(-ies)
8%
Indian Health Services facility(-ies)
5%
Total
100%
Q2. What best describes the organizational department or function in which you reside?
Percentage
Administration
15%
Information technology (IT)
34%
IT security
15%
Clinical services
12%
Management
14%
Compliance & audit
8%
Other (please specify)
2%
Total
100%
Q3. How many licensed beds are available within your hospital?
Percentage
None (ambulatory care)
40%
Less than 100 beds
13%
100 to 250 beds
21%
251 to 500 beds
13%
501 to 1,000 beds
8%
More than 1,000 beds
5%
Total
100%
Extrapolated value
209
Q4. What security threats is your organization most concerned about? Please select the top four threats.
Percentage
Unsecure medical devices
49%
Cyber extortion (ransomware)
43%
Cyber attackers
41%
Phishing
40%
Third-party misuse of patient data
39%
Insecure mobile apps (eHealth)
30%
Use of public cloud services
28%
System failures
26%
Identity thieves
23%
Employee negligence or error
21%
Mobile device insecurity
19%
Malicious insiders
14%
Employee-owned mobile devices or BYOD
12%
Process failures
12%
Other (please specify)
3%
Total
400%
Q5. How will your organization’s investment in security technologies change in the next 12 months?
Percentage
Significantly increase
30%
Increase
29%
Stay the same
25%
Decrease
11%
Significantly decrease
5%
Don’t know
0%
Total
100%
Q6. How do you believe your organization’s dependency on third parties will change over the next three years?
Percentage
Significantly increase
25%
Increase
33%
Stay the same
23%
Decrease
15%
Significantly decrease
4%
Total
100%
Q7. Who is most accountable for ensuring cybersecurity risks are addressed in a timely manner? Please select only one top choice.
Percentage
CIO/CTO
15%
IT security leader (CISO)
25%
Security leader (CSO)
9%
Chief risk officer (CRO)
7%
Compliance/legal
6%
Business unit leader
20%
Operations leader
8%
No one role has overall accountability
8%
Other (please specify)
0%
Total
98%
Q8. Who is most accountable for ensuring compliance with privacy and security regulations? Please select only one top choice.
Percentage
CIO/CTO
12%
IT security leader (CISO)
17%
Security leader (CSO)
5%
Chief risk officer (CRO)
9%
Chief privacy officer (CPO)
6%
Compliance/legal
20%
Business unit leader
16%
Operations leader
7%
No one role has overall accountability
8%
Other (please specify)
0%
Total
100%
Q9. Who is most accountable for an enterprise-wide strategy for minimizing risks to your organization’s sensitive and confidential data? Please select only one top choice.
Percentage
CIO/CTO
21%
IT security leader (CISO)
12%
Security leader (CSO)
3%
Chief risk officer (CRO)
13%
Chief privacy officer (CPO)
6%
Compliance/legal
12%
Business unit leader
15%
Operations leader
3%
No one role has overall accountability
14%
Other (please specify)
1%
Total
100%
Q10. How often are your cybersecurity policies reviewed and adjusted as needed?
Percentage
Monthly
7%
Quarterly
15%
Bi-annually
11%
Annually
19%
No set time (e.g., ad hoc)
22%
Only when our organization has a cybersecurity incident
24%
Unsure
2%
Total
100%
Q11. Does your organization use any continuous monitoring product or service?
Percentage
Yes
34%
No
60%
Unsure
6%
Total
100%
Q12. Did the level of digital maturity affect the ability of your organization’s workforce to work remotely due to the pandemic?
Percentage
Yes
50%
No
43%
Unsure
7%
Total
100%
Q13. Does your organization have a comprehensive inventory of its critical applications and who has access to them?
Percentage
Yes
34%
No
59%
Unsure
7%
Total
100%
Q14. Does your organization have a comprehensive inventory of its hardware and/or software?
Percentage
Yes
29%
No
71%
Total
100%
Q15. How many network-connected devices do you think your organization has?
Percentage
Less than 1,000
8%
1,000 to 10,000
9%
10,001 to 20,000
20%
20,001 to 50,000
26%
50,001 to 100,000
21%
100.001 to 200,000
9%
200,000
7%
Total
100%
Extrapolated value
55,925

Part 3. Incident experience and response

Q16. What types of security incidents has your organization experienced in the past 12 months? Please check all that apply.
Percentage
Advanced persistent threats (APT) / targeted attacks
37%
Botnet attacks
34%
Clickjacking
19%
Denial of services (DoS)
44%
Exploit of existing software vulnerability greater than 3 months old
31%
Exploit of existing software vulnerability less than 3 months old
29%
Lost or stolen devices
54%
Ransomware
42%
Rootkits
25%
Spear phishing
43%
SQL injection
21%
Web-borne malware attacks
23%
Zero-day attacks
19%
Total
421%
Q17. How many successful cyberattacks has your organization experienced over the past 12 months?
Percentage
None
19%
1 to 5
21%
6 to 10
20%
11 to 25
15%
26 to 50
11%
51 to 100
8%
More than 100
6%
Total
100%
Extrapolated value
22.24
Q18. How many data breaches has your organization experienced over the past 12 months?
Percentage
None (please skip to Q21)
16%
1 to 2
32%
3 to 4
37%
More than 5
15%
Total
100%
Extrapolated value
2.7
Q19. What percentage of these incidents were successfully mitigated?
Percentage
Less than 10%
11%
11% to 25%
14%
26% to 50%
20%
51% to 75%
23%
76% to 100%
32%
Total
100%
Extrapolated value
53%
Q20. Have any of these incidents involved the loss or exposure of patient information in the past 12 months?
Percentage
Yes
64%
No
30%
Unsure
6%
Total
100%
Q21a. Does your organization have a cybersecurity incident response plan?
Percentage
Yes
63%
No (please skip to Q22)
30%
Unsure (please skip to Q22)
7%
Total
100%
Q21b. If yes, how often does your organization exercise its incident response plan?
Percentage
Monthly
11%
Quarterly
16%
Bi-annually
14%
Annually
23%
No set time (e.g., ad hoc)
20%
Only when our organization has a cybersecurity incident
16%
Total
100%
Q21c. If yes, who is involved in the incident response program? Please check all that apply.
Percentage
Corporate counsel/compliance
52%
Human resources
43%
Information security
65%
Information technology
54%
Lines of business
41%
Privacy office
6%
Risk management
39%
Finance
29%
Internal audit
21%
Other (please specify)
3%
Total
353%

Part 4. Data loss prevention

Q22. Does your organization have an enterprise-wide data management strategy?
Percentage
Yes
54%
No (please skip to Q24)
37%
Unsure (please skip to Q24)
9%
Total
100%
Q23. Which of the following risks does your organization’s data management strategy address? Please select all that apply.
Percentage
Privileged user access management
33%
Third-party vendors
54%
Malicious insiders
38%
Negligent insiders
40%
Cyber criminals
47%
Unplanned downtime
56%
Data breaches
39%
Total
307%
Q24. What types of data is your organization most concerned about protecting? Please select all that apply
Percentage
Accounting and financial information
17%
Administrative and scheduling information
23%
Clinical trial and other research information
15%
Email content and attachments
36%
Employee information, including payroll data
42%
Login credentials
54%
Passwords and other authentication credentials
62%
Patient billing information
49%
Patient medical records
80%
Productivity applications
40%
Total
418%
Q25a. How would you rate your confidence that data loss prevention technologies and processes used in your organization have reduced the loss or leakage of sensitive information? Please use the 10-point scale provided below.
Percentage
1 or 2
21%
3 or 4
29%
5 or 6
14%
7 or 8
20%
9 or 10
16%
Total
100%
Extrapolated value
5.12
Q25b. If confident (7+ responses) why? Please select all that apply
Percentage
Sufficient budget (money)
29%
Sufficient staffing
53%
Effective technologies
47%
In-house expertise
40%
Clear leadership
56%
Understanding how to protect against cyberattacks
41%
Management sees cyberattacks as a significant risk
39%
Considered a top priority
30%
Other (please specify)
3%
Total
338%
Q26. Does your organization have mandatory cybersecurity training for its workforce?
Percentage
Yes
48%
No (please skip to Q31)
52%
Total
100%
Q27. Which function is most accountable for ensuring mandatory cybersecurity training is conducted by your organization? Please provide your top two choices.
Percentage
Corporate counsel/compliance
35%
Human resources
31%
Information security
28%
Information technology
28%
Lines of business
42%
Privacy office
5%
Risk management
7%
Finance
6%
Internal audit
7%
No one function is most accountable
10%
Total
200%
Q28. When are employees required to take cybersecurity training? Please select all that apply.
Percentage
Only upon joining the organization
40%
Every six months
15%
Once each year
29%
Only after the organization has a cybersecurity incident
35%
No set time (e.g., ad hoc)
40%
Only when the organization has a security incident
32%
Total
191%
Q29. Which of the following threats does your training program cover? Please select all that apply
Percentage
Credential theft
45%
Cyber attackers
37%
Cyber extortion (ransomware)
38%
Employee negligence or error
35%
Employee-owned mobile devices or BYOD
16%
Insecure mobile apps (eHealth)
20%
Malicious insiders
27%
Mobile device insecurity
9%
Phishing
56%
Risks created by geographically separated employees, including overseas locations
12%
Risks created by working remotely
60%
Third-party misuse of patient data
40%
Total
395%
Q30. Does your organization have cybersecurity training for its senior leaders such as tabletop or operational exercises?
Percentage
Yes
39%
No
54%
Unsure
7%
Total
100%
Please rate the following statements using the agreement scale: Strongly Agree and Agree combined
Percentage
Q31. Our organization’s senior leaders take a cross-functional approach to identifying gaps in security and vulnerabilities in order to understand, prioritize, mitigate and communicate risks that exist throughout the organization.
41%
Q32. Our organization’s senior leaders are involved in prioritizing cybersecurity threats, determining the organization’s willingness to accept a certain level of risk and identifying strategies to minimize risk.
39%
Q33. In our organization IT management and senior leaders work closely together to manage cybersecurity risks and to have an effective cybersecurity incident response plan in place.
35%
Q34. The need to improve when, where and how healthcare is delivered (e.g., telemedicine) is the key to a healthier population.
62%
Q35. There is an urgent need for artificial intelligence decision-making tools/technologies and interconnected devices that can seamlessly track patients’ status.
58%
Q36. Our senior leaders make compliance with such regulations as the HIPAA Security Rule, Joint Commission, and state privacy regulations a higher priority than improving the cybersecurity posture of our organization.
34%
Q37. Our organization is proactive in understanding third-party relationships, monitoring and overseeing vendors and updating and monitoring and enforcing contract terms.
37%
Q38. It is critical to have a comprehensive cybersecurity awareness training program that educates all technology users to recognize attack vectors and to reduce, prevent and to respond to cybersecurity incidents.
47%
Q39. Our organization has problems balancing the pursuit of digital innovations with the need to comply with regulations and reduce cybersecurity risks.
59%
Q40. Our senior leaders believe they can pursue opportunities to improve the customer/patient experience, develop new market opportunities and launch innovative business initiatives while concurrently strengthening the protection of sensitive data and IT assets.
40%
D1. How many years of relevant experience in the healthcare industry do you have?
Percentage
Less than 1 year
0%
1 to 5 years
5%
6 to 10 years
16%
11 to 15 years
26%
16 to 20 years
30%
More than 20 years
23%
Total
100%
Extrapolated value
15.7