A new healthcare cybersecurity study this week offered some interesting findings in its assessment benchmarking best practices and key performance indicators, such as use of the NIST Cybersecurity Framework and 405(d) Health Industry Cybersecurity Practices.
WHY IT MATTERS
In the 405(d) Post, Ed Gaudet, CEO and founder of Censinet, summarized five insights from the study’s first wave, insights which he noted were included in the U.S. Health and Human Services Hospital Cyber Resilience Landscape Analysis released in April, along with HICP 2023 and new health system employee cybersecurity resources.
The Healthcare Cybersecurity Benchmarking Study, co-led by Censinet, KLAS Research and the American Hospital Association, aims to establish robust, trusted and actionable peer benchmarks to help healthcare organizations strengthen cybersecurity maturity and resiliency.
Peer benchmarking, Gaudet said, is an invaluable tool, helping organizations identify, assess and mitigate enterprise cybersecurity risks. For the study that began at the close of 2022, the researchers are looking at how organizations are cleaving to the various cybersecurity frameworks, best practices and protocols to better understand where they are largely making progress, what some of the hold-ups are and where they have more to do.
“We’re looking at how prepared these organizations are to combat the adversaries that are obviously trying to plague and attack our health system,” Gaudet told Healthcare IT News at HIMSS23 in April when infosec leaders convened for a healthcare cybersecurity preconference.
The information coming in from across the sector confirms that the healthcare industry is more reactive than proactive, and is poised on response to cyberattacks, Gaudet said in the summary of the benchmarking study’s early indications for the latest 405(d) newsletter.
“The healthcare industry currently is better positioned to respond to security incidents versus identifying (and mitigating) cyber threats before they become incidents,” Gaudet wrote.
Across all five NIST CSF functions “respond” was ranked highest.
A second area he said healthcare delivery organizations should pay close attention to is supply chain risk management – healthcare maturity across all 23 NIST CSF categories is ranked last.
The healthcare organizations that have a greater third-party risk assessment maturity are finding lower annual increases in cyber insurance premiums.
“It’s kind of incredible,” Gaudet remarked in April as this information was coming in.
“So, if you had a mature third-party program, you weren’t getting these huge cyberinsurance premium increases. We think there is a lot there to impart,” he had said.
However, researchers are also finding that there is a wide disparity in how organizations are applying HICP across the 10 best practice areas, Gaudet said. While email protections ranked highest in adoption, medical device security ranked last.
“With 10-15 network-connected medical devices per bed, and the market for Internet-of-Medical-Things growing rapidly, this will certainly be a key focus area for both biomed leaders and [chief information security officers] – especially with ransomware groups now directly threatening patient care and safety,” he said.
In fact, the correlation between CISO program ownership and HICP adoption for medical device security is statistically significant, Gaudet said.
When the CISO’s office owned responsibility for medical device security, HICP coverage increased from 45% with no ownership to 63% with complete ownership.
THE LARGER TREND
Collaboration across the industry is key with cybercrime-as-a-service on the rise.
Gaudet and others advocate for Meaningful Protection, a legislative proposal that would model a federal cybersecurity investment program after one created to increase the use electronic health records.
“To truly transform cybersecurity in healthcare, the U.S. government must consider modeling a cybersecurity investment program after Meaningful Use – namely, the ‘meaningful protection’ of patient safety, data and care delivery operations realized through a combination of incentives and penalties over time,” Gaudet wrote for Forbes about strategies and next steps to protect healthcare organizations from ransomware and other cyberattck disruptions.
ON THE RECORD
“By comparing cybersecurity program performance and maturity to peer organizations, IT/Security teams can identify where critical gaps in security exist today, prioritize allocation of scarce resources and help justify future investment in cybersecurity to their boards to make the overall enterprise more resilient – and safer for patients,” Gaudet said in the 405(d) newsletter.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.