Cybersecurity is Top Issue for Hospital IT Professionals, Creating New Workforce Dynamics

HIMSS survey suggests focus on other IT priorities may lag; influence of security leaders may cause tension.

Cybersecurity, privacy, and security are creating such pressing issues for hospitals, other technology projects may be waylaid and discord among IT leadership could occur if the emerging influence of security professionals is not handled properly, according to the 2019 HIMSS U.S. Leadership and Workforce Survey.

The annual study included feedback from 269 U.S. health information and technology leaders between November 2018‒January 2019. The 30^th edition of the survey examines trends and provides insights into the rapidly changing market for healthcare and IT professionals.

Among the key takeaways for hospitals:

• The emergence of information security leaders as the third influential member of hospital IT leadership teams—following CIOs and senior clinical IT leaders—may create tensions for some organizations.
   
• The top issue for hospital IT leaders is cybersecurity, privacy, and security.
   
• The focus on security is so predominant, authors of the study suggest that other technological priorities may be put on the back burner.

Information about trends and issues for vendors and non-acute care facilities are also addressed in the full report.

Role of Security Leaders Expands
 

The study examines employment trends for specific job titles and, in some cases, compares rates to the prior year. Information security leaders continue to expand their presence in hospitals.

While employment of CIOs and senior clinical IT leaders remains fairly steady; employment of senior information security leaders at hospitals rose by 14% between 2018 and 2019. The study also documents how many hospitals employ professionals for other emerging technology leadership roles, such as chief technology, innovation, and transformation officers, but does not provide comparisons to previous years.

Hospital employment of IT leaders in the following positions for 2019 includes:

• Chief Information Officer 84% (-3% compared to 2018)
   
• A senior clinical IT leader (CMIO, CNIO, CHIO) 68% (+1% compared to 2018)
   
• A senior information security leader (CISO) 56% (+14% compared to 2018)
   
• Chief Technology Officer 36%*
   
• Chief Innovation Officer 19%*
   
• Chief Transformation Officer  7%*
   
• None of the above  9%*

*Comparative data to previous years was not available.

“The emergence of a third leader overseeing a hospital’s information and technology efforts is bound to result in internal tensions as competing interests and overlapping jurisdictions present themselves,” says Lorren Pettit, MS, MBA, vice president at HIMSS in a news release. “These challenges have the potential to stymy a hospital’s progression if hospital leaders are not careful to manage these hurdles effectively.”

The report further elaborates that unless roles and responsibilities are clearly delineated, the influence of security professionals could impede a hospital’s progression on information and technology priorities as leaders "work through internal territorial challenges."

[Editor's Note: Healthcare professionals who operate in these areas may be interested in attending the HealthLeaders Innovation Exchange July 17‒19 at the Ojai Valley Inn in Ojai, California. This forum will gather hospital information, innovation, and transformation leaders for deep peer discussions to explore ways that innovation can add value.]

Information Technology Priorities
 

The survey gauges interest from IT professionals about 24 topics. While cybersecurity outranked all other responses, "improving quality outcomes" and "clinical informatics and clinician engagement" also was highly rated for hospital respondents. Telehealth ranked ninth; innovation took the twenty-first spot.

Survey participants ranked these topics on a scale of one (not a priority) to seven (essential priority). Following are the ranking and mean scores for hospital respondents:

1. Cybersecurity, Privacy, and Security 5.81
    
2. Improving Quality Outcomes Through Health Information and Technology 5.28
    
3. Clinical Informatics and Clinician Engagement  5.24
    
4. Process Improvement, Workflow, Change Management 5.03
    
5. Culture of Care and Care Coordination 4.92
    
6. Data Science/Analytics/Clinical and Business Intelligence 4.91
    
7. Leadership, Governance, Strategic Planning 4.90
    
8. User Experience, Usability and User-Centered Design  4.86
    
9. Telehealth 4.82
    
10. Consumer/Patient Engagement & Digital/Connected Health 4.80
     
11. Population Health Management and Public Health 4.77
     
12. Safe Info and Tech Practices for Patient Care 4.62
     
13. HIE, Interoperability, Data Integration and Standards 4.62
     
14. Public Policy, Reporting, and Risk Management 4.31
     
15. Healthcare App and Tech Enabling Care Delivery  4.20
     
16. Social, Psychosocial & Behavioral Determinants of Health 4.06
     
17. Consumerization of Health 3.75
     
18. Clinically Integrated Supply Chain 3.66
     
19. Healthy Aging and Technology  3.60
     
20. Health Informatics Education, Career Development & Diversity  3.53
     
21. Innovation, Entrepreneurship and Venture Investment 3.47
     
22. Precision Medicine/Genomics  3.47
     
23. Disruptive Care Models 3.39
     
24. Grand Societal Challenges 2.88
     

Security Needs May Slow Down Focus on Other IT Priorities
 

Study authors characterized the prioritization of cybersecurity, privacy, and security by providers as "remarkably higher" than the next highest priority. The focus is so predominant, the authors suggest that other technological priories may be put on the back burner.

"Of the array of priorities presented respondents, 'cybersecurity, privacy, and security' was one of the only 'defensive' business tactics respondents were asked to consider," states the report. "That providers (especially hospital respondents) responded so passionately to this priority suggests a growing number of provider organizations realize the need to protect existing business practices before aggressively pursuing other information and technology issues. If true, then there are potential downstream implications for the market as other information and technology priorities considered in this study may be put on hold or 'slow walked' until the security concerns of organizations are settled."

In addition to this survey, HIMSS also released a related report last week, the 2019 HIMSS Cybersecurity Survey, which sheds additional light on some of these issues. Among the highlights:

• A pattern of cybersecurity threats and experiences is discernable across U.S. healthcare organizations. Significant security incidents are a near universal experience with many of the initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.
   
• Many positive advances are occurring in healthcare cybersecurity practices and healthcare organizations appear to be allocating more of their IT budgets to cybersecurity.
   
• Complacency with cybersecurity practices can put cybersecurity programs at risk.
   
• Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector.

[Editor's note: This article has been updated to include information about the HealthLeaders Innovation Exchange.]