CHIME-KLAS: Most Wired Participants Adopting HHS Advisory Group Cybersecurity Recommendations
ANN ARBOR, MICHIGAN AND SALT LAKE CITY, UTAH, JUNE 28, 2019 – Many organizations that participated in the CHIME HealthCare’s Most Wired program in 2018 reported they follow cybersecurity practices recommended by a federally convened task group of private and public cybersecurity leaders, according to research released today by CHIME and KLAS Research. The task group, called for in Section 405(d) of the Cybersecurity Act of 2015, published their recommendations in HICP (“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”) at the end of 2018.
HICP lists 10 overarching cybersecurity practices that the task group determined organizations of all sizes, from local clinics to large healthcare systems, should follow. These include email protection systems, endpoint protection systems, access management, data protection and loss prevention, network management, vulnerability management, incident response, medical device security and cybersecurity policies. An analysis of responses in the 2018 Most Wired survey was published today as a CHIME-KLAS white paper, “How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?” The white paper reports that while many providers have adopted guidelines outlined in HICP, there was room for improvement, especially among smaller organizations.
The CHIME HealthCare’s Most Wired survey is conducted annually by the College of Healthcare Information Management Executives (CHIME) to benchmark and identify industry best practices. Cybersecurity, which is critical for protecting patient information and ensuring patient safety, is a major component in the survey. In 2018, 647 surveys were submitted, representing 2,190 hospitals. With support from Clearwater Compliance, CHIME collaborated with KLAS Research to produce a white paper that assesses the adoption of the task group’s recommendations for reducing and mitigating cybersecurity risks. This analysis was augmented by provider commentary and data collected by KLAS via other research methods.
“CHIME’s goal with Most Wired is to improve patient safety and outcomes around the world by identifying best practices and sharing that knowledge across our industry,” said Russell Branzell, CHIME’s president and CEO. “Working with KLAS, we are able to use this amazing resource to benchmark the current state of the industry and highlight strengths and gaps. HICP provides a perfect opportunity to see how far we have progressed and where we need to go in cybersecurity.”
“This report is a wake-up call and road map to identifying cybersecurity vulnerabilities for healthcare providers, and highlighting where specific progress needs to be made,” said Adam Gale, president of KLAS. “CHIME is playing a critical role in monitoring and promoting adoption of HICP recommendations.”
The CHIME-KLAS white paper found many organizations have deployed email and endpoint protection systems, transitioned from homegrown identity and access management solutions to commercial solutions, and adopted data-loss prevention solutions. Most have network access solutions to monitor devices connected to their networks but less than half of the small organizations use network segmentation to control the spread of infections. Large organizations also use more sophisticated and more frequent vulnerability scanning and application testing than do small organizations.
Most have an incident-response plan, but only half conduct an annual enterprise-wide exercise to test the plan. For medical device security, some large organizations report investing in supporting technologies while small organizations say they have strong internal processes. Small organizations are less likely to use cybersecurity policies, and small and medium organizations are four times less likely to have a CISO than large organizations.
The CHIME-KLAS white paper is available here. The HICP report is the result of the collaborative work of the U.S. Department of Health and Human Services and its industry partners. The full HICP report and related documents are available here.
The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With more than 2,900 members in 55 countries and over 150 healthcare IT business partners and professional services firms, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate the effective use of information management to improve the health and care in the communities they serve. For more information, please visit chimecentral.org.
KLAS is a research and insights firm on a global mission to improve healthcare delivery. Working with thousands of healthcare professionals and clinicians, KLAS gathers data and insights on software, services and medical equipment to deliver timely, actionable reports and consulting services. KLAS represents the provider and payer voice and acts as a catalyst for improving vendor performance, highlighting healthcare industry challenges and opportunities, and helping build understanding and consensus for best practices. To learn more about KLAS, go to klasresearch.com
Director of Communications and Public Relations, CHIME