- Organizations must have the right staff members in place who are properly trained, and also have appropriate technical tools to ensure that a proper cybersecurity response can occur following a data security incident.
Healthcare entities in particular must work to create a comprehensive cybersecurity response plan, but recent studies show that there is still room for improvement.
Seventy-seven percent of organizations said they do not have a formal cybersecurity incident response plan (CSIRP) applied consistently across their entity, according to The Third Annual Study on the Cyber Resilient Organization by IBM Security and the Ponemon Institute.
Of the 2800 respondents, approximately half stated that their incident response plan was informal or did not exist.
The study also showed a need for proper employee training in cybersecurity. Seventy-seven percent of those surveyed said it is difficult to retain and hire IT Security professionals. Fifty percent reported their organization's current CISO or security leader has been in place for three years or less, while 23 percent said they do not currently have a CISO or security leader.
"Having the right staff in place is critical but arming them with the most modern tools to augment their work is equally as important,” IBM Resilient VP of Product Management and Co-Founder Ted Julian said in a statement. “A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall Cyber Resilience."
Confidence levels in being able to properly respond to a cybersecurity attack could also be misplaced, researchers found.
Seventy-two percent of organizations said they felt more cyber resilient today than they were last year. However, 57 percent of respondents said the time to resolve an incident has increased, while 65 percent said attack severity has increased.
"A sharp focus in a few crucial areas can make a big difference when it comes to Cyber Resilience," Dr. Larry Ponemon said in a statement. "Ensuring the security function is equipped with a proper incident response plan, staffing, and budget will lead to a stronger security posture and better overall Cyber Resilience."
Healthcare cybersecurity response may not be as bad though, as recent CynergisTek report findings show that entities ranked highest in response and recovery in the Core Elements of the NIST Cybersecurity Framework.
The Improving Readiness: Meeting Cyber Threats report measured how healthcare organizations are implementing NIST CSF controls.
The assessments were conducted across numerous types of healthcare entities, including individual hospitals, clinics, ancillary facilities, payers, and business associates. Overall, there was an average of 45 percent conformance with NIST CSF controls.
Organizations had the lowest ratings in detecting potential cybersecurity events, while the highest ratings were in the Core Elements of response and recovery.
The assessment ranked organizations on a scale of 0 to 5, with 5 being an “Optimized Process.” The average conformances with the NIST CSF response and recovery elements were 2.5, the report found. This indicates that “most organizations are not prepared to respond comprehensively to a cyber incident at their organization,” report authors explained.
More healthcare organizations are treating cybersecurity events as enterprise risk. Respondents also cited machine learning and behavioral analytics as factors that would play a significant role in helping to improve incident detection.
“Hackers are becoming more sophisticated and we expect to see greater frequency and intensity of cyberattacks in healthcare,” CynergisTek CEO Mac McMillan said in a statement. “The NIST CSF gives healthcare organizations the framework they need to build the resilience that 21st century healthcare is going to require.”
The NIST CSF can be greatly beneficial for healthcare organizations as they work to create a comprehensive approach to cybersecurity.
NIST Cybersecurity Framework Program Manager Matt Barrett explained to HealthITSecurity.com in a February 2018 interview that the cyber hygiene dimension of things is especially critical.
Citing the 2017 WannaCry ransomware attack as an example, Barrett said the incident “discerned a line of demarcation: who patches within a certain threshold of months and who doesn't.”
“That's an example of one where there's specific subcategory guidance within Framework around patching within reasonable risk thresholds,” Barrett said. “Clearly, those who did not patch within that timeline, they were beyond a threshold that's set by the threat environment.”
“If they got pinched by WannCry, of course they can revise that and integrate that into their risk management strategy moving forward,” he continued. “But the Framework certainly would have helped with that risk decision.”
The NIST CSF is also ideal for helping organizations of all sizes, Barrett maintained. The healthcare industry landscape is very diverse and can create cybersecurity challenges.
“The challenge is in the vast difference in these environments and the way they're managed and the education and awareness that's required,” Barrett said.
For example, a small physician practice may have an individual who is not a cybersecurity expert running that facility.
“Do they understand what kind of iterative, dynamic cybersecurity risk management looks like?” Barrett asked. “That is really the space where the Framework lives.”