Healthcare still playing catch-up when it comes to cybersecurity preparedness

Healthcare organizations are still more reactive than proactive when it comes to cybersecurity, a new study by Censinet, KLAS Research and the American Hospital Association revealed.

A total of eight leading health systems sponsored the study to assess how aligned the industry is to the standards established by the National Institute of Standards and Technology (NIST) and Health Industry Cybersecurity Practices (HICP) guidance.

Across NIST functions, supply chain risk management had the lowest coverage. In relation to HICP guidance, email system protections showed strength while medical device security lagged. Additional questions were also asked to gain insights as to how organizations are investing in cybersecurity preparedness.

“As patient safety is put at risk by an increasingly malicious threat landscape, U.S. hospitals and health systems must stay ahead of bad actors the best they can,” Erik Decker, chief information security officer at Intermountain Health and chair of the Health Sector Coordinating Council’s Cybersecurity Working Group, said in a press release. “Drawn from the unique insights in the Healthcare Cybersecurity Benchmarking Study, the landscape analysis is a significant asset for healthcare organizations—especially those under-served—to make the right investment decisions to bolster their cybersecurity maturity and resiliency for the long run.”

The study was designed to establish actionable benchmarks for cybersecurity resilience and create visibility of the problem still talked about in hushed tones despite repeated high-profile attacks.

NIST’s cybersecurity framework outlines five functions: identify, protect, detect, respond and recover. Along the timeline of a breach, organizations were best prepared when it came to responding to attacks and least able to identify attacks.

Over 40% of companies are not compliant with NIST response and recover planning in relation to supply chain risk management providers, the study showed.

Within the respond functions, the analysis category was most mature with all organizations reporting investigating notifications from detection systems and the majority reporting that at least 70% of this area was protected.

“The Healthcare Cybersecurity Benchmarking Study initiative provides critical intelligence to help guide our fight against those who directly threaten hospital operations and patient care,” John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said in a press release. “Peer benchmarking delivers immediate, actionable insights into cybersecurity performance and provides a targeted roadmap for improvement, driving much-needed investment in cyber resiliency across our entire field.”

Email systems, with phishing being the most common path past hospital security, showed the greatest maturity with average covering reaching 84% in relation to HICP guidance. However, medical device security has a long way to go with average coverage barely over 50%. Internet of Medical Things (IoMT), data protection and loss prevention and network management are all areas where hospitals lack in alignment with HICP guidance.

While HICP guidance differs based on organizational size, email had the highest protections regardless of size. 

Between 2017 and 2023, the percentage of total IT expenditure allocated to cybersecurity increased substantially as did increases in cybersecurity insurance premiums.

“This landmark initiative represents a giant leap forward to shine a light on the state of cybersecurity in the industry and, at the same time, to help elevate cybersecurity resiliency and maturity across all organizations,” Adam Gale, chief executive officer at KLAS Research, said in a press release.

Intermountain Health, Mass General Brigham, Cedars-Sinai, Marshfield Clinic Health System, Fairview Health Services, Baptist Health, Hartford HealthCare and Dayton Children’s sponsored the study.

The first wave of the study was conducted from November 2022 to March 2023 and includes 48 healthcare delivery organizations. Participants in the second wave of the study are currently being recruited.