May 03 2021

Establishing a Baseline for Healthcare Security Metrics

A survey from CDW and Ochsner Health aims to help IT leaders know where they stand on key cybersecurity efforts.

Cybercriminals frequently work together to achieve their objectives. Some healthcare IT professionals think their organizations should work together too.

One area where healthcare IT leaders may be able to meet this goal is in establishing cybersecurity metrics and baselines for the industry. Currently, such metrics are generally unavailable, but CDW is working with industry leaders to establish them. Tom Stafford, healthcare CTO with CDW, is spearheading an effort to survey IT leaders in the healthcare sector to get a better understanding of how they measure their security efforts.

“We want to use this data to create a dashboard that gives companies an understanding of where they sit within the healthcare industry,” Stafford says. By collecting survey data from IT leaders in healthcare, the project is intended to establish a common set of metrics and create a baseline of where the industry stands.

GET INVOLVED: Click here to participate in this CDW Healthcare Security Metrics Survey.

IT Leaders Need Context for Their Security Efforts

The purpose of the survey, Stafford says, is to give IT leaders a clearer perspective on how their security efforts compare with the healthcare industry as a whole. For example, if an organization’s anti-phishing program aims to reduce the likelihood that users will click on a suspicious link in an email, knowing that the organization’s click rate is 1 percent is useful. But knowing that the industry average is 5 percent provides context that shows the organization’s anti-phishing efforts are more effective than the industry average.

Establishing this context has been challenging for several reasons, says Steve LeBlond, vice president of information services and COO of the IS division at Ochsner Health, which is working with CDW on the survey. As a practice, cybersecurity is relatively young, LeBlond says, pointing out that just 10 years ago, few organizations had a CISO position within their corporate structures. In addition, the industry has not established a commonly accepted set of security metrics that should be measured, and, in general, organizations are reluctant to share data about their security efforts for fear of giving cybercriminals information that could be used against them.

Ochsner has built a dashboard that gives the health system’s IT team a clear look at how it is performing in security domains relevant to the National Institute of Standards and Technology’s Cybersecurity Framework. But while the dashboard can tell Ochsner’s IT professionals how many of the company’s endpoints may not have anti-virus software installed, it doesn’t provide any idea how this performance stacks up against the rest of the healthcare industry. LeBlond sees this as a serious challenge. “We’re always working to improve,” LeBlond says. “But without a baseline to reference, we don’t have objective information on how much our efforts have improved our position relative to the industry.”

Taking Measure Against Security Challenges

Every organization should know where it stands on a number of fundamental security metrics. The CDW survey will provide this perspective. IT leaders responding to the survey will report their performance on metrics such as the percentage of unknown devices logged on to their networks versus known devices (a measure provided by many network access control solutions). Other measurements will include the average number of critical vulnerabilities discovered by penetration testing, the percentage of servers that are backed up in the last 24 hours and the percentage of employees who have completed security training. Organizations that participate in the survey will have detailed access to the results.

Ochsner’s IT team reports its performance on these and other metrics to its board of directors every other month. Once the CDW survey is complete, it will provide a context to the board that demonstrates how the IT team is performing compared with the rest of the industry. This information is particularly useful for healthcare organizations looking to prioritize their security investments and efforts in the future.

“Once CISOs have this information,” Stafford says, “they’ll be able to go to their CEOs with a clearer idea of how they think the organization should move forward.”

TAKE THE SURVEY: Click here to participate in the CDW Healthcare Security Metrics Survey.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.


gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT