6 ways smaller health systems are falling behind in cybersecurity: CHIME-KLAS survey

While large healthcare organizations are successfully adopting best practices for cybersecurity, smaller health systems and hospitals are falling behind as budget constraints and a lack of qualified talent hinder progress, according to a new survey.

College of Healthcare Information Management Executives (CHIME) and KLAS Research surveyed 647 healthcare organizations, representing 2,190 hospitals, as part of its Most Wired survey. They used those survey responses to gauge how well health systems are adopting voluntary cybersecurity best practices.

A task group within the Department of Health and Human Services (HHS) released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (PDF) in December 2018. The document outlines 10 recommendations to help healthcare stakeholders limit their cyber vulnerabilities. The HHS recommendations cover areas such as email protection systems, endpoint protection systems, access management, data protection and loss prevention, medical devices, and asset management.

According to the CHIME-KLAS benchmarking white paper (PDF), most organizations have deployed email and endpoint protection systems, establishing an initial layer of defense against internal and external threats. Since email is a necessary but high-risk form of communication, email security strategies are considered table stakes at most healthcare organizations, according to the white paper.

But many have not done enough in other areas, such as protecting against phishing schemes. 

Here's a look at what the survey found:

RELATED: Ransomware, phishing attacks top new HHS list of cyberthreats in healthcare

Phishing simulations

The HHS task group recommends that organizations conduct monthly phishing simulations, which often include on-the-spot workforce training. Over 70% of organizations conduct such simulations at least quarterly, with many doing it more frequently, according to the CHIME-KLAS survey. But 16% of small and midsize organizations do not conduct phishing simulations at all or do them less than once a year. (The white paper classifies small hospitals as less than 50 beds and medium-sized organizations as under 300 beds.)

Digital signatures

Large organizations are three times more likely to use digital signatures than are their smaller counterparts, the white paper said. Digital signatures allow users to verify that emails come from trusted sources and have not been manipulated in transmission.

Nearly all surveyed organizations report that they currently use endpoint encryption, a simple and relatively inexpensive protection method. While most organizations have implemented intrusion-detection and -prevention systems, about 20% of small organizations have not implemented this first line of defense.

Identity and access management

Identity and access management (IAM) technology is becoming increasingly important for healthcare organizations as they attempt to balance security needs with end users’ desires for quick system access. Many health systems are making the transition from homegrown IAM technologies to third-party tools, with large organizations significantly more likely to have implemented identity management and provisioning tools.

Multifactor authentication

Phishing scams, which exploit users' credentials, pose a major cybersecurity risk to healthcare organizations and increase the need for multifactor authentication so that stolen credentials can’t be used for access. But less than half of smaller hospitals and health systems have a multifactor authentication solution in place today, according to the survey.

RELATED: Healthcare organizations lack money, tools, talent to address biggest cybersecurity threats: survey

Data loss protection

As the healthcare industry moves toward increased interoperability, it is becoming increasingly important for organizations to make sure patient data is shared in a safe and secure way. The majority of surveyed organizations, including over 70% of small organizations, report having data loss prevention tools in place. But at smaller organizations, data loss protection implementations are more likely to be limited in scope, the white paper said.

With the proliferation of medical devices, effective asset management, or simply keeping track of devices, is critical to a robust cybersecurity program. There is room for improvement when it comes to having real-time device-location data, the survey found, as only 50% of small organizations and 60% of midsize organizations use RFID/RTLS technology to identify and track assets.

Network segmentation

Networks support connections and the movement of data between systems, but if not properly deployed and managed, they can also enable cyberattacks to spread and gain access to data. The HHS task group also recommends network segmentation to keep the impact of an attack isolated to specific portions of the network. Most health systems have network access solutions to monitor devices connected to their networks, but less than half of small organizations use network segmentation to control the spread of infections.

Large organizations also use more sophisticated and more frequent vulnerability scanning and application testing than do small organizations, CHIME and KLAS report in the white paper.

RELATED: Third medical testing company impacted by AMCA breach as Congress seeks answers

“This report is a wake-up call and road map to identifying cybersecurity vulnerabilities for healthcare providers, and highlighting where specific progress needs to be made,” Adam Gale, president of KLAS, said in a statement. “CHIME is playing a critical role in monitoring and promoting the adoption of HICP recommendations.”

Successful cybersecurity programs are not based on technology alone, according to CHIME and KLAS, but rather they are based on policy and supported by strong technology. 

Even when it comes to cybersecurity policy, small and medium-sized organizations are lagging behind at adopting best practices such as having a dedicated chief information security officer, the white paper reports. These organizations are nearly four times as likely to lack a CISO at their organization compared to large organizations.

Nearly half of medium and large organizations have cybersecurity as a topic at board meetings at least quarterly. While most organizations have a governance, risk, and compliance committee in place, less than half of organizations, and fewer than 1 in 5 small organizations, have a board-level committee overseeing their cybersecurity program.