Healthcare Institutions Fall Short of National Cybersecurity Standards

  • Healthcare breaches continue in high numbers
  • Vendor report details minority of healthcare providers can’t meet NIST CSF criteria
  • Healthcare providers can get back on track, but it will take a strong focus on an effective remediation plan

It seems a day doesn’t go by without a story about a data breach within a healthcare organization breaking. Within the past few weeks, there have been rafts of healthcare breaches. Last week, a life was lost as when a ransomware attack forced a patient to be diverted from one hospital to another.

It’s clear: healthcare organizations worldwide are understaffed when it comes to information security, working with older technology, and are unable to get their environments to the risk posture they need.

Last week, cybersecurity healthcare services provider CynergisTek released its annual report, Moving Forward: Setting the Direction. It’s their third such annual report and is based on the risk assessments performed across 300 organizations. This year’s report found that just 44% of healthcare providers — hospital and health systems, hospitals, physician practices, ACOs, and Business Associates — met the criteria details within the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). Some organizations, the report found, actually lost ground.

Interestingly, the report found that just having a bigger budget didn’t necessarily mean better security outcomes. Some organizations with bigger budgets performed more poorly than their smaller counterparts who had less to invest.

However, in some cases, the report found that larger organizations slipped because of recent acquisitions where the newly acquired organizations’ computing environment had poor security postures. “What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” David Finn, executive vice president, strategic innovation at CynergisTek said. “The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19,” he continued.

The report found several factors holding healthcare organizations back from improving their security. They include poor security planning, lack of organizational focus, inadequate reporting structures, inadequate funding, lack of clear priorities and staff.

The report provided the following security remediation plan:

  • Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security privacy infrastructure, measures, and performance. It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
  • Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment. Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial. Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
  • Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
  • Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
  • Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.

The CynergisTek report is based on the aggregation of results from about 300 security risk assessments performed across provider facilities. The 2019 evaluations were based on the NIST Cyber Security Framework. Additionally, CynergisTek said, all of the subjects of this analysis were also measured against the HIPAA Security Rule.

You can access the report here.