SAN DIEGO & NASHVILLE, Tenn.–(BUSINESS WIRE)–In the wake of a record-breaking $16 million data breach settlement earlier this month that put insurers and provides alike on notice that ignoring cybersecurity risks could come with a hefty price tag, a new national survey of U.S. health systems finds that only 29 percent report having a comprehensive cybersecurity program in place.
“Due to a growing number of internal and external security threats, it has become increasingly more difficult for healthcare organizations to protect their sensitive information, including patients’ personal health information,” according to CHIME HealthCare’s Most Wired: National Trends 2018 report issued today during the annual CHIME Fall CIO Forum in San Diego. Clearwater, a CHIME member and top-ranked healthcare cyber risk management solutions company, was a sponsor of the research for a second year.
Clearwater Chief Trust & Security Officer Richard Staynings said the findings from this year’s Most Wired research should be a wake-up call for health system leadership especially as healthcare becomes increasingly digital (the overall Internet of Medical Things, or IoMT, market is expected to grow from $41 billion in 2017 to $158 billion by 2022, Deloitte, July 2018).
“The question every board of directors and executive leadership team should be asking themselves is, have we done a sufficient risk analysis, and if not, why not?” said Staynings. “In our own analysis of the past 57 OCR settlements involving a breach of electronic protected health information, in 88 percent of the cases, the healthcare organization failed to do a sufficient risk analysis. That’s pretty mind boggling.”
The Anthem data breach, affecting nearly 79 million people, is the largest ever reported, and statistics show healthcare breaches are on the rise, with 277 breaches through the first nine months of 2018, compared with 271 during the same period the year before. Most breaches stemmed from hacking or “IT incidents,” according to the HHS Office of Civil Rights (OCR), which enforces Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Breaches currently under investigation can be found here. Regulators also noted that Anthem failed to take several basic security steps, including conducting an enterprise-wide security risk assessment on all assets involved with PHI, including assets thought to be “out of scope.”
While Most Wired found most respondents have taken at least one step toward an incident-response plan (97 percent said they have a documented EHR-outage prodecure, for example), only 29 percent reported having a comprehensive cybersecurity program in place, just 26 percent surveyed said they had adopted all 10 critical components of an incident response plan, while 43 percent had adopted 7-9 components, and 31 percent reported adoption of fewer than seven.
“Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” the CHIME report concluded.
The annual Most Wired survey is designed to identify and recognize healthcare organizations that exemplify best practices through their adoption, implementation and use of information technology. This is CHIME’s first year to oversee the Most Wired program since acquiring it from the American Hospital Association. Participation is open to all CIOs and qualified health organizations.
This year’s research added a new emphasis on measuring key areas to help identify gaps in healthcare organizations’ technology adoption and strategies and to highlight areas in which the industry has opportunities to make progress. The key areas that emerged from this year’s research were:
Integration and Interoperability
Security and Disaster Recovery
Population Health Management and Value-Based Care
Patient Engagement and Telehealth
Clearwater has long been a leader in cyber risk management solutions, and its founder and executive chairman, Bob Chaput, is known as an industry trailblazer. He recently authored a chapter titled “Compliance Risk Management and Cyber Risk Management” in the Wolters Kluwer 2019 Health Law and Compliance Update, now in its 16th year. The publication features national experts who address key developments in healthcare delivery, payment, and compliance.
Chaput’s chapter includes practical advice and analytical tools for use in organizational compliance and cyber risk management programs in addition to a timely and thorough analysis.
The chapter includes topics such as:
What constitutes an OCR-quality risk analysis
Jump-starting an effective cyber risk management program
The consequences of an inadequate risk analysis
Critical building blocks for a comprehensive, enterprise-wide information risk management program
Three pillars of HIPAA compliance
Most common risk analysis mistakes
A case study: St. Joseph Health
The chapter addresses the misconception that compliance risk management and cyber risk management are synonymous. Chaput explains the differences between the two, and gives healthcare organizations the information they need to evaluate where gaps may exist in their compliance and cyber risk management programs. The chapter focuses on what is involved in a comprehensive risk analysis, and offers actionable steps an organization can take to move toward a comprehensive information risk management program.
“Compliance risk management is a critical component of any healthcare organization’s overall risk management program,” said Chaput. “Yet, compliance is only one part of a much bigger information risk management picture. Cyber risk management takes a more complete look at an organization’s information assets, threats and vulnerabilities than compliance risk management does.”
The 2019 Edition of the book can be purchased from Wolters Kluwer: https://lrus.wolterskluwer.com/
submitted by: Joanna Smith