Healthcare Is More Reactive Than Proactive When It Comes to Cybersecurity, KLAS, AHA, Censinet Find

April 25, 2023 - KLAS, the American Hospital Association (AHA) and healthcare risk management solutions company Censinet released the much-anticipated first wave of results of its Healthcare Cybersecurity Benchmarking Study.

The findings are based on responses from 48 healthcare organizations of varying sizes. The questions focused on measuring adherence to the guidelines recommended by the NIST Cybersecurity Framework (NIST CSF) and the Health Industry Cybersecurity Practices (HICP).

In terms of maturity with the NIST CSF’s five core functions, survey results indicated that many healthcare organizations still operate reactively rather than proactively when it comes to cybersecurity. Specifically, the results showed low coverage in the areas of Supply Chain Risk Management, Asset Management, and Risk Management.

Additionally, more than 40 percent of surveyed healthcare organizations were found to be noncompliant with conducting response and recovery planning with third-party suppliers. These findings align with ongoing third-party risk management challenges and a recent uptick in third-party data breaches across the healthcare sector.

“A particular challenge is that conducting testing with third-party suppliers is resource intensive, requiring coordination between both the healthcare organization and the vendor,” the report noted.

“It also demands process management that many healthcare organizations may not yet have the maturity to provide. However, efforts in this area can pay off— organizations that report higher Supply Chain Risk Management coverage are more likely to report lower year-to-year increases in their cybersecurity insurance premium.”

Despite shortcomings in third-party or supply chain risk management, respondents reported the highest average NIST coverage in the Respond function, showing that healthcare organizations are often well-equipped to investigate and understand internal cybersecurity incidents and respond accordingly.

Alignment with HICP guidance is more complex because the guidance varies based on organization size. For this section, respondents self-selected one of three categories based on size and IT capabilities. Email protection systems stood out as a strong fixture within most cybersecurity programs, with more than half of the surveyed organizations reporting 100 percent coverage. As phishing remains a top cyber threat, healthcare’s focus on email protections is warranted.

“On the other hand, medical device security is an area of industry-wide vulnerability, with average coverage barely over 50 [percent],” the report stated.

“Almost all responding organizations ensure medical devices are wiped of all data when decommissioned. However, when such configuration is supported by the manufacturer, less than two-thirds configure medical devices to allow only known processes and executables to run on medical devices, and most of these organizations report doing this for only some devices.”

While medical device security remains a significant challenge, healthcare organizations reported strong access management and cybersecurity policies when measured against the HICP. Additionally, medical device security ownership by information security leadership correlated with better adherence to the HICP, exemplifying the importance of governance and clear responsibility structures.

Overall, the study showed that while healthcare organizations are making great progress in implementing policies and strategies that protect them from cyber risk, there is room for improvement when it comes to program maturity. Specifically, third-party risk management and medical device security may be weak points in an organization’s security program.

Future iterations of the Healthcare Cybersecurity Benchmarking Study will shed more light on opportunities for growth and maturity levels within the healthcare cybersecurity space.

“The Healthcare Cybersecurity Benchmarking Study initiative provides critical intelligence to help guide our fight against those who directly threaten hospital operations and patient care,” said John Riggi, national advisor for cybersecurity and risk at the AHA.

“Peer benchmarking delivers immediate, actionable insights into cybersecurity performance and provides a targeted roadmap for improvement, driving much-needed investment in cyber resiliency across our entire field.”