Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council

Roles, Team & Budget

KEY FINDING: Most respondents work in private health systems and hospitals.

As shown in the graph below, 61 percent of respondents say they work in private health systems (31 percent) or private hospitals (30 percent).

What best describes the healthcare organization you work in?

Health system, private
0%
Hospital, private
0%
Health system, public (non-VA, non-IHS)
0%
Hospital, public (non-VA, non-IHS)
0%
Veteran's Administration facility(-ies)
0%
Indian Health Services facility(-ies)
0%

As shown in the graph below, almost half (49 percent) of respondents work in IT (34 percent) or IT security (15 percent).

What best describes the department or function in which you reside?

Information technology (IT)
0%
IT security
0%
Administration
0%
Management
0%
Clinical services
0%
Compliance & audit
0%
Other
0%

KEY FINDING: To reduce cybersecurity risks and improve the patient experience, senior leaders need to work more closely with IT.

The graphs below present actions senior leaders should be taking in the management of cybersecurity risks and the improvement of the patient experience. As shown, most senior leaders are not involved in these various governance activities. Specifically, only 35 percent of respondents say IT management and senior leaders work closely together to manage cybersecurity risks and to have an effective cybersecurity incident response plan in place.

Other problems include senior leaders not taking a cross-functional approach to identifying gaps in security and vulnerabilities in order to understand, prioritize, mitigate and communicate risks (only 41 percent of respondents), not involved in prioritizing cybersecurity threats, determining level of acceptable risk (only 39 percent of respondents). As a result, only 40 percent of respondents say their senior leaders believe they can pursue opportunities to improve the customer/patient experience, launch innovative business initiatives while at the same time strengthening data protection practices.

The state of senior leaders’ management of healthcare cybersecurity risks
Strongly Agree and Agree responses combined

0%

Senior leaders take a cross-functional approach to identifying gaps in security and vulnerabilities

0%

Senior leaders believe they can pursue opportunities to improve the customer/patient experience

0%

Senior leaders are involved in prioritizing cybersecurity threats

0%

IT management and senior leaders work closely

0%

Senior leaders make compliance with such regulations as the HIPAA Security Rule, Joint Commission and state privacy regulations a higher priority

KEY FINDING:  Dependency on services and products provided by third parties will increase over the next three years, but few organizations take steps to assess the risks.

As shown below, 58 percent of respondents say third-party dependency will significantly increase (25 percent) or increase (33 percent) over the next three years. However, 42 percent of respondents say that this dependency will not change or will decrease.

What best describes the department or function in which you reside?

Significantly increase
0%
Increase
0%
Stay the same
0%
Decrease
0%
Significantly decrease
0%

KEY FINDING:  Cross-functional teams would eliminate the silos created by the current approach for addressing cybersecurity risks, complying with regulations, and minimizing risks to sensitive data.

According to the graph below, there is not one function that is accountable for responding to cybersecurity risks, ensuring compliance, and minimizing risks to sensitive data. CISOs are most accountable for addressing cybersecurity risks in a timely manner (25 percent of respondents), followed by the business unit leader (20 percent).

The CIO/CTO is most accountable for ensuring there is an enterprise strategy for minimizing risks to sensitive data (21 percent of respondents). Twenty percent of respondents say compliance/legal is most accountable for compliance with privacy and security regulations.

Who is the most accountable for addressing cybersecurity risks in a timely manner, ensuring compliance with privacy and security regulations and ensuring there is an enterprise-wide strategy for minimizing risks to sensitive and conditional data?

KEY FINDING:  In addition to improving the security posture of organizations, respondents believe investment in technologies will improve the patient experience.

As shown below, 59 percent of respondents say investments will significantly increase (30 percent) or increase (29 percent). As discussed previously, telemedicine, artificial intelligence, and interconnected devices are needed to improve the patient experience.

How will your organization’s investment in security technologies change in the next 12 months?

Significantly increase
0%
Increase
0%
Stay the same
0%
Decrease
0%
Significantly decrease
0%