Today, CynergisTek, a leading cybersecurity firm helping more than 1,000 hospitals navigate emerging security and privacy issues, released their new annual report, “Moving Forward: Setting the Direction.” The third annual report revealed that only 44 percent of providers across the continuum, including hospital and health systems, conformed to protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) – with scores in some cases trending backwards since 2017.
Analysts examined nearly 300 assessments of provider facilities across the continuum, including hospitals, physician practices, ACOs and Business Associates assessed by CynergisTek against the NIST CSF.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers.
“We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, president and CEO of CynergisTek. “These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system. However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
CynergisTek’s report revealed bigger healthcare institutions with bigger budgets didn’t necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less. In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” said David Finn, EVP of Strategic Innovation at CynergisTek. “The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”
Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan.
To overcome these challenges, key strategies to bolster healthcare security and achieve success include:
- Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security and privacy infrastructure, measures and performance. It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
- Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment. Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial. Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
- Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
- Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
- Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.
CynergisTek’s Annual Report and the rankings are based on aggregating maturity ratings of nearly 300 security risk assessments performed across provider facilities by CynergisTek in 2019, using the NIST Cyber Security Framework as the benchmark standard. Based on those assessments and using a six-point scale (using 0 – 5, with 0 – Incomplete to 5 – Optimized Process), the team examined if processes were in place to meet desired outcomes and continuously improved to achieve current and projected goals. All of the subjects of this analysis were also measured against the HIPAA Security Rule. CynergisTek calculated the national average of the nearly 300 assessments, which accounts for providers across the entire continuum of care including Business Associates, Critical Access Hospitals, and Academic Medical Centers, Health Systems, Physician Groups and Payers.
CynergisTek is a top-ranked cybersecurity firm dedicated to serving the information assurance needs of the healthcare industry. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. Since 2004, the company has served as a partner to hundreds of healthcare organizations and is dedicated to supporting and educating the industry by contributing to relevant industry associations. The company has been recognized by KLAS as a top-performing firm in healthcare cybersecurity and was awarded the 2019 Top Healthcare Cybersecurity Consultants in Black Book IT Advisory Outcomes Survey.