Healthcare Cybersecurity Frameworks - A HIMSS 2018 Digest

Understanding adoption and popularity of different security frameworks for Healthcare Organizations and how we expect that to change in 2019

Looking Forward to the 2019 HIMSS Security Survey Results

HIMSS 2019 in Orlando kicks off this week – February 11th through the 15th. Around the event, the organization will be releasing the data and key takeaways from their 2019 cybersecurity survey.

The goal of the survey is to get a gauge on how different healthcare organizations approach a variety of cybersecurity topics facing the healthcare space. It builds on the context laid down in previous surveys to try to understand the critical themes and how they evolve over time, as well as identifies emerging security threats.

The survey also provides a lot of perspective for organizations facing challenges their peers may also be navigating (or have navigated) in an effort to improve cybersecurity across the entire industry as a group. It’s an extremely valuable report.

To prime ourselves for what is to come in just a few weeks, we wanted to hit the framework highlights from the 2018 survey.

Healthcare Cybersecurity Frameworks Adoption from Last Year’s Survey

The 2018 HIMSS Cybersecurity Survey was assembled using data points from 239 health information security professionals.

Respondents highlighted adoption of numerous security frameworks, the most widely adopted being the NIST cybersecurity framework. Behind that in a near dead heat were HITRUST and Critical Security Controls followed by ISO, COBIT and others.

Healthcare Cybersecurity Framework Adoption HIMSS

2 Notable Data Points

There were a couple of notable data points we wanted to call out in anticipation of results from this year’s survey release:

  1. Across 196* different respondents, more than 223 security frameworks are actively in place. That isn’t funny math. What it means is, as an average, 10% of organizations have adopted more than 1 security framework. This is important because it is an indicator that there are gaps and vulnerabilities even after you institute a security framework. There isn’t a universal standard framework and some organizations are taking steps to
  2. Perhaps alarmingly is the fact that nearly a fifth of respondents in the healthcare space noted that no formal security framework had been implemented within the organization. This is something we suspect (and hope) is a result of no formal implementation or adoption, but likely policies and procedures exist.

*239 total respondents less the 45 that noted they either weren’t sure or had not adopted a framework.

Our Bets on 2019 Report Findings

Unfortunately we couldn’t track down a good parlay or over/under on report findings (that may change if the event is ever in Vegas) but we still wanted to note some of the findings and changes we expect to see in the coming report. This is more hopeful and gut-driven than rooted in data.

1) Increased Adoption of Multiple Healthcare Cybersecurity Frameworks

There is an increasingly brighter light on cloud security and data breaches. It is becoming increasingly apparent that compliance isn’t going to get you to security assurance. The solution for many organizations, right or wrong, is to add on another framework. We suspect organizations are thinking of security frameworks as a ven diagram: some overlap but also broader coverage.


In 2018, the number was a little more than 10%. For the 2019 report we suspect it will be closer to 15%.

2) A Shrinking Percentage of Users without a Framework

Almost 20% of users were a part of a healthcare organization that had yet to formally adopt a security framework. That is a little scary if you think about the requirements that go into operating in the industry. So with the growing awareness of security vulnerabilities, the increasing proliferation of new technologies, etc., we think the number of respondents saying they are operating without a security framework to cut in half.

3) So Where are the Respondents Re-distributing?

After the last two paragraphs, you have probably put together that there are a lot of respondents missing a bucket to fall into. So where are these new framework adopters going to fall?

Our bet is on HITRUST (with a side of NIST growth). Starting with HITRUST: many organizations perceive more effort to compliance means you are more secure. HITRUST is hard. While we don’t agree with that notion directly, more and more companies we are speaking with are looking to bring HITRUST into their operations.

We also suspect growth in NIST with the release of there updated security framework in recent months. The awareness alone should prompt increased adoption.

A Positive Step with More Room to Improve

Using healthcare cybersecurity frameworks to eliminate the knowns in your operations is smart move. Thinking that adopting more frameworks will make your even more secure…we think that is a stretch. Assurance in your security operations boils down to each and every day, not just a sprint to compliance.

Read the Complete 2018 Report

Here is a link to the full report. It’s a worthwhile read for during the flight to this year’s conference that goes into great detail.

The 2018 HIMSS Cybersecurity Final Report

Are you planning to adopt one or many healthcare cybersecurity frameworks? We can help streamline the path to security assurance and compliance.

Start Your Free Trial