Only 44% of healthcare organizations, including hospitals, health systems and third-party vendors, are meeting national cybersecurity standards designed to protect against cyberattacks.
And bigger healthcare institutions with larger budgets didn't necessarily perform better when it comes to security, according to a new report from cybersecurity firm CynergisTek. In fact, big organizations sometimes performed worse than smaller organizations or those that invested less, the report found.
In some cases, this was a direct result of consolidation where systems directly connect to newly acquired hospitals without first shoring up their security posture and conducting a compromise assessment, according to CynergisTek.
Analysts at the Austin, Texas-based security firm examined nearly 300 assessments of provider facilities, including hospitals, physician practices, accountable care organizations and business associates, to determine how well they are conforming to the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) protocols, which are considered security best practices.
Looking at historical client data, CynergisTek found cybersecurity scores in some cases trending backward since 2017.
In 2017, CynergisTek's assessment found 45% of organizations complied with NIST cybersecurity protocols. There was a measurable uptick to 47% in 2018. In 2019, a year with a record number of attacks and breaches in healthcare, that average had dropped to 44%.
In 2019, 79% of facilities scored less than a C in terms of conformance with the NIST cybersecurity best practices, the report found.
Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan, the report found.
This decline in overall conformance should be an alarming call to action for the industry, not just for IT and security leaders, CynergisTek said.
While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging, according to David Finn, executive vice president of strategic innovation at CynergisTek.
"In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it," he said. "The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”
The healthcare industry also is looking down the barrel at new regulations that will complicate cybersecurity.
Interoperability and information blocking rules, which go into effect in just a few months, mean even more data sharing with more people, places and devices. The overall decline in conformance—as the healthcare industry enters a post-COVID-19 world, and issues around privacy and new interoperability and information blocking rules become effective—does not bode well for where the sector needs to be, according to the report.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST cybersecurity protocol conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying personal protective equipment (PPE) from unvetted suppliers, CynergisTek said.
"The problem is [healthcare organizations] are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, president and CEO of CynergisTek, in a statement.
There are some bright spots, however. "Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores," Barlow said.
CynergisTek offered some key strategies for healthcare organizations to bolster their security defenses.
- Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership needs to be more diligent when examining the organization’s security and privacy infrastructure, measures and performance. It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
- Make security an enterprise priority: Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial. Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business.
- Money isn’t a solution: Security leaders need to identify priorities and have a plan that leverages talent, tried-and-true strategies like multifactor authentication, privileged access management and ongoing staff training to truly level up their defenses and take a more holistic approach.
- Accelerate the move to the cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19 and other crises more effectively.
- Shore up security posture: COVID-19 taught us that workflow can also disrupt security, and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs, and come up with a game plan to bolster defenses needed in this next normal.