By Lee Kim, JD, CISSP, CIPP/US, FHIMSS
Respondents to the 2018 HIMSS Cybersecurity Survey included health care providers, vendors, and consultants. Respondents’ roles included executive management, nonexecutive management, and nonmanagement professionals.
The 2018 HIMSS Cybersecurity Survey sought to answer two overarching questions:
How far has the health care and public health sector progressed in cybersecurity, and who is doing what in cybersecurity?
Respondents were asked about whether their organizations experienced a significant security incident in the past 12 months. The majority of respondents (75.7%) indicated that their organizations did experience a significant security incident; 21.2% of respondents said their organizations did not. The respondents whose organizations experienced a recent significant security incident were asked to characterize the threat actor—the type of actor they believe was responsible for the recent significant security incident.
According to respondents, the top type of threat actor was the online scam artist (eg, phishing or spear phishing) at 37.6% of respondents. Negligent insiders (20.8% of respondents) and hackers (20.1% of respondents) were also frequently identified as threat actors responsible for the recent significant security incident.
By far, the initial point of compromise was e-mail for organizations experiencing a recent significant security incident, according to 61.9% of respondents. Other responses ranged from compromised organizational websites to compromised cloud provider/service; generally, 2% or 3% of respondents indicated initial points of compromise such as these.
Health Care Organizations Making Some Progress
A significant number of respondents (84.3%) indicated that their organizations have increased the use of resources (eg, people, assets), compared with last year. Unfortunately, significant barriers to mitigating and remediating security incidents included lack of people, according to 52.4% of respondents, and lack of financial resources, according to 46.6% of respondents. Coupled with the usual state of hospitals running on thin profit margins, with some in the red, health care organizations struggle with providing enough money, resources, and people to run their cybersecurity programs.
On a positive note, however, risk assessments are generally done at least once a year, according to 69.7% of respondents, and many are taking proactive actions as a result of risk assessment, such as adopting new or improved security measures (83.1% of respondents), replacing or upgrading security solutions (65.1% of respondents), or replacing hardware, software, and other devices that are at the end of life or have been depreciated (56.6% of respondents).
Nonetheless, the health care and public health sector has definite room for growth. For example, there is a lack of uniformity in regard to consumption of cyber threat intelligence sources. The top three resources are the following:
Furthermore, less than one-half of respondents (44.9%) indicated that their organizations have formal insider threat management programs.
Priorities and Future State
Health care organizations have a wide variety of priorities for their cybersecurity programs, ranging from incident response to medical device security, according to 10% to 12% of respondents across all categories. When asked about whether there is a concern about failure or disruption of another critical infrastructure sector, however, the majority of respondents were concerned about the IT/communication sector, eg, the internet and other computer networks, and the IT sector.
While there is definitely room for improvement compared with the previous few years, there is some positive movement in regard to cybersecurity programs; health care cybersecurity programs are making progress.
— Lee Kim, JD, CISSP, CIPP/US, FHIMSS, is director of privacy and security at HIMSS North America.
By Carla Smith, MA, FHIMSS, CNM
HIMSS announces an innovation in the release of its annual compensation survey; for the first time in 12 years of study, findings are being reported based upon race. An important barometer of compensation-related knowledge and trends, the 2018 findings are particularly resonant as gender equity issues dominate US conversations.
This year’s findings are consistent with years past; pay disparities persist among select population groups. Specifically, this research shows that the average salary of health IT professionals varies by gender and race. On average across all positions and years in a position, females make 18% less than their male peers, and minorities make 12% less than nonminorities.
Nuanced disparities also emerge. Executive-level women face a larger salary gap compared with their male counterparts than women at other organizational levels, and this gap is growing. Also, older respondents across all gender and racial categories reported greater pay disparities than their younger counterparts. Minority females face the biggest gap in pay equity of all, with the lowest average salaries of the four gender-racial groups considered.
Regarding digital health workers’ perceptions and satisfaction with their compensation, the data show that, overall, respondents tended to be moderately satisfied with their current base salaries. Nonwhite respondents tend to be less satisfied with their pay than respondents who identified as white; however, females are statistically just as satisfied with their pay as their male peers. This suggests the potential to better communicate compensation data to all digital health workers and to better understand the compensation expectations and strategies of female digital health professionals.
HIMSS sees these findings as a call to action, prompting investment in this research and education in areas such as mentorship and career development. HIMSS wants to help managers become educated about why gender and racial equity is good for business and how to reduce disparities, as well as to equip workers with the tools to understand what they’re worth and how to successfully negotiate.
— Carla Smith, MA, FHIMSS, CNM, is executive vice president of HIMSS.
By Lorren Pettit
The HIMSS 2018 US Leadership and Workforce Survey offers insight into the information and technology concerns of US health leaders, particularly those involved in the hospital marketplace. The data suggest a year-over-year consistency in the market’s information and technology priorities, with vendors/consultants and hospital respondents evaluating many priorities with the same degree of intensity. The findings also reveal that vendors/consultants and hospital providers do not necessarily share all of the top concerns. These findings suggest that the market is too complex for health leaders to employ a one-size-fits-all approach when addressing the priorities of hospitals. The following are five key findings from this year’s survey:
Vendors/consultants and hospitals continue to be generally aligned on information and technology priorities, with cybersecurity and data analytics emerging as two of the top priorities across all respondent groups. While vendors/consultants and hospital respondents evaluated many of the priorities with the same intensity, they did vary in terms of the rank order of the issues. That said, there was a consistency in the primacy assigned to certain issues. Privacy, security, and cybersecurity was the third most important priority for vendors and consultants and the second most important priority for hospital respondents. Likewise, data analytics/clinical and business intelligence was the top priority for vendors/consultants and the fifth most important priority for hospital respondents. Given the array of priorities the hospital faces, these two issues are prominent areas of focus for information and technology professionals in all settings in 2018.
Information and technology professionals employed within hospital settings are enjoying increased influence. Both provider respondents and vendor/consultants were asked to rate the “shift in influence” that some information and technology executives appear to be experiencing within the provider organization. The findings reveal vendors/consultants and hospital executives are largely in agreement regarding their perceptions of the increased influence of varied information and technology executives. For vendors/consultants, this means they will need to be ever more purposeful in establishing and maintaining relationships with their clients within the hospital setting.
Vendors/consultants and providers are at odds regarding the projected demand for information and technology resources this coming year. The majority of vendors/consultants (86%) expect their volume of business to increase next year, while the majority of hospitals (63%) project their IT operating budget to stay the same (21%) or be reduced (43%). Given these findings, vendors/consultants will need to ensure they are staffed appropriately to meet this anticipated increased demand or risk overextending themselves.
Hospitals are more likely to modify IT projects due to staffing/workforce challenges than vendors and consultants. More than one-half of hospital respondents (51%) claimed their organization elected to place on hold or scale back an IT project or initiative in the past year due to a workforce challenge, compared with 38% of vendors/consultants. This is an increase over last year, when 47% of hospital respondents reported that workforce challenges negatively impacted an IT project. To help address these ongoing workforce issues, hospitals may want to consider leveraging the services of an outside executive search firm.
Health IT professionals looking for jobs should start with vendors/consultants—and be prepared to tackle cybersecurity and data analytics. The majority (69%) of vendors/consultants indicated that they had open positions to fill, compared with 34% of hospitals. Across the board, this year’s survey results indicated privacy, security, and cybersecurity as well as data analytics/clinical and business intelligence are among the top priorities for 2018; therefore, IT applicants should go into the job search with an understanding of how their role maps back to and supports these priorities.
— Lorren Pettit is vice president of health information systems and research for HIMSS.