CHIME and AEHIS Cybersecurity Survey. October 2016

Similar documents
Medical Device Cybersecurity: FDA Perspective

Cybersecurity for Health Care Providers

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Todd Sander Vice President, Research e.republic Inc.

The Cyber War on Small Business

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

COPYRIGHT 2018 NETSCOUT SYSTEMS, INC. 1

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

External Supplier Control Obligations. Cyber Security

FDA & Medical Device Cybersecurity

Cybersecurity The Evolving Landscape

Cybersecurity Survey Results

Cybersecurity 2016 Survey Summary Report of Survey Results

Addressing the elephant in the operating room: a look at medical device security programs

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cybersecurity for Service Providers

Cyber Resilience. Think18. Felicity March IBM Corporation

Jeff Wilbur VP Marketing Iconix

Protecting your next investment: The importance of cybersecurity due diligence

Advanced IT Risk, Security management and Cybercrime Prevention

Hacking and Cyber Espionage

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Cybersecurity and Nonprofit

Internet of Things Toolkit for Small and Medium Businesses

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Medical Devices Cybersecurity? Introduction to the Cybersecurity Landscape in Healthcare

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

2017 RIMS CYBER SURVEY

Cyber Risks in the Boardroom Conference

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Comprehensive Cyber Security Risk Management: Know, Assess, Fix

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Combating Cyber Risk in the Supply Chain

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

DeMystifying Data Breaches and Information Security Compliance

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

PULSE TAKING THE PHYSICIAN S

Webcast title in Verdana Regular

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Medical device security The transition from patient privacy to patient safety

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Cybersecurity: Incident Response Short

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Express Monitoring 2019

Consolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality

Cyber Crime Update. Mark Brett Programme Director February 2016

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Cyber Security Issues

The Cost of Denial-of-Services Attacks

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Cybersecurity, safety and resilience - Airline perspective

The Third Annual Study on the Cyber Resilient Organization

Cyber Security Stress Test SUMMARY REPORT

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

CYBERSECURITY RESILIENCE

Information Security Is a Business

Cyberspace : Privacy and Security Issues

Legal Aspects of Cybersecurity

Mastering The Endpoint

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

ISACA West Florida Chapter - Cybersecurity Event

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Medical Device Cybersecurity A Marriage of Safety and Security

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Annual Report on the Status of the Information Security Program

Detecting breach. There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017

Business continuity management and cyber resiliency

MIS5206-Section Protecting Information Assets-Exam 1

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Cyber Security in Timothy Brown Dell Fellow and CTO Dell Security

Project 2020: Preparing Your Organization for Future Threats Today

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Unit 3 Cyber security

Medical Device Vulnerability Management

Electronic Communication of Personal Health Information

Illinois Cyber Navigator Program

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Gujarat Forensic Sciences University

Transcription:

CHIME and AEHIS Cybersecurity Survey October 2016

Fielding and Reponses Responses: 190 Survey fielded: Approximately a month (8/29-9/30)

Demographics

In what state or U.S. territory do you currently work? Answered: 189 Skipped: 2

Responses Evaluated by Bed Size Less than 100 beds, Other Care Providers w/ Inpatient beds: 36 respondents 100 to 399 beds: 48 respondents 400 or more beds: 78 respondents All respondents: 190

What best describes your organization type?

What is the total number of employees across your entire organization, including all of its branches, divisions, and subsidiaries?

What is your organization s annual revenue?

What is your total number of IT staff?

Responses on Threats and Vulnerabilities

Q 8. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. Scale: 1 being your top concern, 5 being no concern at all 3.50 Threats 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Less than 100 beds 100 to 399 beds 400 or more beds All Respondents Social Engineering 1.91 2.08 1.68 1.88 Cyber Terrorism 2.56 2.46 2.29 2.38 IoT 2.67 2.52 2.84 2.77 Organized Crime 3.03 2.94 2.78 2.83 Insider Threat 2.79 2.46 2.34 2.36 Data Theft 2.50 1.67 1.71 1.75 Social Engineering Cyber Terrorism IoT Organized Crime Insider Threat Data Theft

Q 9. Thinking about your own organization, please rate the following potential security exploits on the degree of concern you have for each. 3.50 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Exploits Scale: 1 being your top concern, 5 being no concern at all Less than 100 100 to 399 400 or More All Respondents Botnets 2.53 2.46 2.3 2.38 Hacking 2.47 1.94 1.94 1.99 Back Doors 2.66 2.3 2.26 2.28 Malware 2.25 1.71 1.64 1.65 Insider Threat 2.71 2.38 2.29 2.33 Ransomware 2.18 1.44 1.41 1.49 Denial of Service 2.88 2.65 2.5 2.63 Botnets Hacking Back Doors Malware Insider Threat Ransomware Denial of Service

Q 10. Thinking about your own organization, please rate the following potential security vulnerabilities on the degree of concern you have for each. Scale: 1 being your top concern, 5 being no concern at all 3.50 Vulnerabilities 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Less than 100 beds 100 to 399 beds 400 or more beds All Respondents Poor Authentication Session Management 2.55 2.19 2.21 2.23 Security Misconfiguration 2.59 2.00 2.10 2.09 Buffer Overflows 3.12 2.65 2.86 2.82 Injection Vulnerabilities 2.88 2.31 2.44 2.47 Data Exposure 2.35 1.63 1.85 1.77 Poor Authentication Session Management Security Misconfiguration Buffer Overflows Injection Vulnerabilities Data Exposure

Q 11. Please indicate how common each of the security threats listed below are Threatsfor your organization 4.00 Scale: 1 being very common, 5 being very uncommon 3.50 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Less than 100 Beds 100 to 399 beds 400 or more beds All Respondents Social Engineering 1.80 2.10 2.26 2.31 Cyber Terrorism 2.50 3.50 3.54 3.55 IoT 2.47 2.65 3.08 3.12 Organized Crime 2.80 3.73 3.81 3.77 Insider Threat 2.52 2.90 3.16 3.09 Data Theft 2.69 3.08 3.22 3.19 Social Engineering Cyber Terrorism IoT Organized Crime Insider Threat Data Theft

Q 12. Please indicate how common each of the security exploits listed below are for your organization Scale: 1 being very common, 5 being very uncommon 4.00 Exploits 3.50 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Less than 100 beds 100 to 399 beds 400 or more beds All Respondents Botnets 3.00 3.03 2.96 3.05 Hacking 3.00 3.10 2.93 3.05 Back Doors 3.00 3.28 3.28 3.3 Malware 3.00 1.90 2.01 2.01 Insider Threat 3.00 2.87 3.13 3.1 Ransomware 3.00 2.40 2.50 2.52 Denial of Service 3.00 3.55 3.46 3.55 Botnets Hacking Back Doors Malware Insider Threat Ransomware Denial of Service

Q 13. Please indicate how common each of the security vulnerabilities listed below are for your organization Scale: 1 being very common, 5 being very uncommon 4.00 Vulnerabilities 3.50 3.00 2.50 2.00 1.50 1.00 0.50 0.00 Less than 100 beds 100 to 399 beds 400 or more beds All respondents Poor authentican 2.67 2.60 2.66 2.71 Security Misconfiguration 2.33 2.58 2.70 2.68 Buffer overflows 3.33 3.40 3.44 3.52 Injection Vulnerabilities 3.00 3.45 3.13 3.31 Data Exposure 3.33 3.08 2.89 2.96 Other Application Vulnerabilities 2.67 2.58 2.59 2.64 Poor authentican Security Misconfiguration Buffer overflows Injection Vulnerabilities Data Exposure Other Application Vulnerabilities

Q 14. Please rank: In your opinion, why does the business strategy not drive the security strategy? 1 = Top Reason, 7 = Very Little Reason 6.00 Business Strategy vs. Security Strategy 5.00 4.00 3.00 2.00 1.00 0.00 Less than 100 beds 100 to 399 beds 400 or more beds All Respondents Budgets or Staffing 2.90 3.00 2.80 5.1 Pace of change for the business (Too Many other Initiatives) 2.93 3.00 2.84 5.05 Security is not considered a patient care or quality of care issue 4.26 3.69 3.83 4.08 BYOD/BYOA 5.30 5.24 5.29 2.72 Regulatory Landscape is too complex 4.67 4.67 4.86 3.4 Threat landscape changes too quickly 4.23 3.95 4.43 3.72 Changing delivery of care models and workflows don't address security until after the fact 3.71 4.33 3.92 3.95

Q 15. Compared to a year ago, please indicate how your organization would perform if its systems or data were compromised by a targeted attack? Scale: 1 = Better, 3= Worse 1.35 Organization's Performance vs. One Year Ago 1.30 1.25 1.20 1.15 1.10 1.05 1.00 0.95 Less than 100 beds 100 to 399 beds 400 or more beds All Respondents Having systems in place to prepare for a security incident 1.10 1.18 1.14 1.16 Discovering a security incident 1.32 1.23 1.20 1.22 Recovering from a security incident 1.32 1.28 1.26 1.28 Having systems in place to prepare for a security incident Discovering a security incident Recovering from a security incident

Q 16. How confident are you that Federal legislators understand the importance of security enough to support your key information security initiatives? Confidence in Federal Legislators to Understand Security Initiatives 0.68% 5.40% 39.46% 25.17% 29.25% Very Confident Neither Confident nor Unconfident Don't know Somewhat Confident Not Confident at All

Q 17. What do you think the Federal Government could do to help you share cybersecurity information more easily and faster? Pick your top 3. Percentage of overall respondents. Disclosures of confidential information shared by providers within an ISAO must be done in a way that does not jeopardize reputational harm (i.e. use of non-di2losure agreements and protections for providers participating in ISAOs against federal actions Mitigate costs of participation in ISOs/ISAOs since many providers have limited resources and costs should not be a barrier to entry (i.e. manufacturers should help share the burden of these costs in order to increase HDO participation). Actions to Share Easier and faster 34.41 36.73 Establish a hotline for providers to call should they enter barriers with manufacturers who insist they cannot remedy an uncontrolled risk without additional FDA clearance. 23.81 Require ISOs/ISAOs to communicate threats in a common format / language 27.21 Require manufacturers to have to report cyber risks directly to providers, not just US-CERT. 44.22 Create Patient Safety-like (PSO) organizations for sharing cyber information and threats. Incentivize participation in Information Sharing Organizations(ISO) and Information Sharing Analysis Organizations (ISAO). (i.e. shielding against audits for providers who mentor / help less resourced providers) 29.25 55.1 Create and distribute tools aimed at providers of different sizes and levels of resources (i.e. resources for small providers could vary from those needed by 1 resourced, larger providers) 51.02 More education and outreach 34.01 0 10 20 30 40 50 60

Q 17. What do you think the Federal Government could do to help you share cybersecurity information more easily and faster? Pick your top 3. 100 or less beds Actions to Share Easier and faster Disclosures of confidential information shared by providers within an ISAO must be done in a way that does not jeopardize reputational harm (i.e. use of non-di2losure agreements and protections for providers participating in ISAOs against federal actions Mitigate costs of participation in ISOs/ISAOs since many providers have limited resources and costs should not be a barrier to entry (i.e. manufacturers should help share the burden of these costs in order to increase HDO participation). 9 18 Establish a hotline for providers to call should they enter barriers with manufacturers who insist they cannot remedy an uncontrolled risk without additional FDA clearance. 7 Require ISOs/ISAOs to communicate threats in a common format / language 9 Require manufacturers to have to report cyber risks directly to providers, not just US-CERT. 10 Create Patient Safety-like (PSO) organizations for sharing cyber information and threats. Incentivize participation in Information Sharing Organizations(ISO) and Information Sharing Analysis Organizations (ISAO). (i.e. shielding against audits for providers who mentor / help less resourced providers) Create and distribute tools aimed at providers of different sizes and levels of resources (i.e. resources for small providers could vary from those needed by 1 resourced, larger providers) 7 13 24 More education and outreach 9.00 0.00 5.00 10.00 15.00 20.00 25.00 30.00

Q 17. What do you think the Federal Government could do to help you share cybersecurity information more easily and faster? Pick your top 3. 100 to 399 beds Actions to Share Easier and faster Disclosures of confidential information shared by providers within an ISAO must be done in a way that does not jeopardize reputational harm (i.e. use of non-di2losure agreements and protections for providers participating in ISAOs against federal actions Mitigate costs of participation in ISOs/ISAOs since many providers have limited resources and costs should not be a barrier to entry (i.e. manufacturers should help share the burden of these costs in order to increase HDO participation). 8 16 Establish a hotline for providers to call should they enter barriers with manufacturers who insist they cannot remedy an uncontrolled risk without additional FDA clearance. 10 Require ISOs/ISAOs to communicate threats in a common format / language 8 Require manufacturers to have to report cyber risks directly to providers, not just US- CERT. 19 Create Patient Safety-like (PSO) organizations for sharing cyber information and threats. Incentivize participation in Information Sharing Organizations(ISO) and Information Sharing Analysis Organizations (ISAO). (i.e. shielding against audits for providers who mentor / help less resourced providers) Create and distribute tools aimed at providers of different sizes and levels of resources (i.e. resources for small providers could vary from those needed by 1 resourced, larger providers) 17 21 21 More education and outreach 0 5 10 15 20 25 15

Q 17. What do you think the Federal Government could do to help you share cybersecurity information more easily and faster? Pick your top 3. 400 or more beds Disclosures of confidential information shared by providers within an ISAO must be done in a way that does not jeopardize reputational harm (i.e. use of non-di2losure agreements and protections for providers participating in ISAOs against federal actions Mitigate costs of participation in ISOs/ISAOs since many providers have limited resources and costs should not be a barrier to entry (i.e. manufacturers should help share the burden of these costs in order to increase HDO participation). Establish a hotline for providers to call should they enter barriers with manufacturers who insist they cannot remedy an uncontrolled risk without additional FDA clearance. Actions to Share Easier and faster 18 22 29 Require ISOs/ISAOs to communicate threats in a common format / language 13 Require manufacturers to have to report cyber risks directly to providers, not just US- CERT. 35 Create Patient Safety-like (PSO) organizations for sharing cyber information and threats. Incentivize participation in Information Sharing Organizations(ISO) and Information Sharing Analysis Organizations (ISAO). (i.e. shielding against audits for providers who mentor / help less resourced providers) Create and distribute tools aimed at providers of different sizes and levels of resources (i.e. resources for small providers could vary from those needed by 1 resourced, larger providers) 22 31 38 More education and outreach 0 5 10 15 20 25 30 35 40 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback