The document summarizes the key findings of a 2018 healthcare cybersecurity survey conducted by Sirius involving 143 healthcare IT leaders. The survey found that while most organizations recognize the importance of security risk assessments and business continuity plans, fewer than half have dedicated internal security teams. Additionally, responses showed variations in approaches to security training, vulnerability detection, and testing disaster recovery capabilities. Overall, the survey indicates that while healthcare organizations are tackling cybersecurity, there is still room for improvement in establishing robust security practices and programs.

1. HEALTHCARE CYBERSECURITY SURVEY
2 0 1 8
A Sirius Healthcare Cybersecurity Study | December 2018

2. Today, more data is generated and shared electronically than ever before,
dramatically increasing opportunities for theft and accidental disclosure of
sensitive information. This reality, along with stiff penalties for failing to comply
with regulations such as HIPAA and GDPR, makes the need for cybersecurity
critical. Sirius asked 143 healthcare IT leaders critical questions concerning their
security practices, to gauge their approaches to cybersecurity.

3. KEY FINDINGS
Based on responses, healthcare IT leaders recognize the importance
of performing risk assessments, but differ when it comes to choosing
how best to detect vulnerabilities.
FEWER THAN HALF have an internal team dedicated to security
information and event management (SIEM).
MORE THAN HALF are operating on an internal hospital network.
The vast majority have a business continuity & disaster recovery
(BC/DR) plan, but vary in their capabilities to test failovers in a live
environment.
Overall, surveyed leaders require IT teams to complete security
trainings either at hire, quarterly or annually.
MORE THAN HALF
FEWER THAN HALF

4. HOW ARE HEALTHCARE ORGANIZATIONS
TACKLING CYBERSECURITY?
54% perform an annual information security risk assessment using INTERNAL RESOURCES.
40% perform an annual information security risk assessment using PARTNER RESOURCES.
USING INTERNAL
R E S O U R C E S
54% USING PARTNER
R E S O U R C E S
40%

5. 43% utilize internal staff to search for vulnerabilities.
29% have adopted a vulnerability scanning process, using the system to prioritize risks.
17% rely on vendors to notify them and prioritize threats on their behalf.
IDENTIFYING CYBER THREATS
U T I L I Z E I N T E R N A L S T A F F43%
U T I L I Z E V E N D O R S17%
A D O P T E D S C A N N I N G P R O C E S S29%

6. 54% have deployed a NEXT-GENERATION ANTI-VIRUS or endpoint detection and response (EDR)
solution to either replace traditional anti-virus or supplement it.
62% have an INTERNAL TEAM DEDICATED TO MONITORING SIEM.
61% have ADOPTED A PARTICULAR FRAMEWORK (NIST, PCI DSS, HIPAA/HITECH, ISO 27001/2)
guided by a risk-based approach as the basis of their security program.
INTERNAL SIEM
M O N I T O R I N G
ADOPTED INDUSTRY-STANDARD
S E C U R I T Y
NEXT GENERATION
A N T I - V I R U S
54% 62% 61%

7. CLOUD SECURITY
24% have FULLY INTEGRATED their information security and
risk management program into their use of cloud services.
34% have STARTED TO INTEGRATE their information security
and risk management program into their use of cloud services.
19% treat their ON-PREMISES ENVIRONMENT SEPARATELY
from their cloud services.
23% are NOT CURRENTLY USING cloud services
24%
23%
19%
34%

8. BUSINESS CONTINUITY
58% have a fully operational BC/DR plan and
test failover in a live environment.
B C / D R P L A N
FULLY OPERATIONAL
58%
33% have a DR plan but cannot test
failover without causing disruption.
D R P L A N
WITH DISRUPTION
33%

9. TRAINING AND SECURITY EXPERTISE
How often is end-user training provided that covers how to securely use shared resources and systems in
public areas?
13% require and conduct security trainings at HIRE AND
QUARTERLY.
46% require and conduct security trainings at HIRE AND
ANNUALLY.
18% require security trainings ANNUALLY.
15% require security training at HIRE.
13%
15%
18%
46%

10. LET’S TALK
Attackers will never stop trying to exploit your organization’s vulnerabilities. As long as threats exist, you
need effective security controls to counteract them. Sirius’ expertise, implementation capabilities and
top-ranked managed services enable organizations to achieve end-to-end security from the enterprise to
the cloud.
Make an appointment with a Sirius security expert today
to discuss your security compliance needs and goals.
siriuscom.com | 800-460-1237
LEARN MORE