Just 44% of Healthcare Providers Meet NIST Cybersecurity Standards

September 23, 2020 - Only 44 percent of healthcare organizations, including hospitals and health systems, adhere to NIST cybersecurity framework standards, despite a drastic increase in healthcare data breaches in recent years, according to a recent report from security firm CynergisTek. 

For its this annual report, CynergisTek analysts examined about 300 assessments of providers across the sector for the last three years against the NIST Cybersecurity framework, such as physician practices, accountable care organizations (ACOs), and business associates. 

Researchers found that only scores for conformance with the HIPAA Security Rule improved from 2018, but just by 1 percent from 2018 to 2019 to 76 percent, compared to 70 percent in 2017. 

“While the NIST CSF continues to grow in adoption internationally and in the US across all sectors, including healthcare, healthcare conformance with the CSF continues to lag across all sectors,” researchers wrote. “This decline in overall conformance should be an alarming call to action for the industry, not just for IT and security leaders.” 

“It has already been made crystal clear that due to COVID-19, care delivery and IT delivery models are transforming drastically,” they added. The changes in both increases the attack surface insecurity and privacy issues for covered entities, business associates, and patients themselves.” 

READ MORE: HIPAA Compliance: ONC Updates Security Risk Assessment Tool

There was an expected decline in NIST CF scores given changes to managing supply chain cybersecurity and the Identify, Protect, and Respond sub-categories added to the framework. But the report showed all conformance scores declined except for “detect,” remaining at an average 2.1 score across all three years of the report. 

What’s troubling is that there has been no progress in NIST conformance, which researchers explained is equivalent to slipping back when it comes to cybersecurity. So far this year, there’s been a record number of phishing and DDoS cyberattacks. And combined with COVID-19, economic, and staffing challenges, these issues will only worsen as 2020 progresses. 

“In cybersecurity, if you are not improving, you are falling behind in managing your risks — the bad guys keep getting better, the technology more complex and more of it is being deployed,” researches wrote. “The compliance requirements for both privacy and security are more onerous and unlike the early 2000s when HIPAA was the 800-pound gorilla.” 

“COVID-19 has shifted and intensified the threat landscape for everyone – including expanded health-related targets (more remote workers, clinical and pharmaceutical research facilities and laboratories),” they added. 

The report also found that healthcare supply chain security is one of the lowest ranked areas in its conformance with NIST standards, which researchers stressed is alarming as the COVID-19 pandemic has highlighted weaknesses in the supply chain. 

READ MORE: COVID-19 Cybersecurity: Building Resilience Beyond the Crisis

Several federal alerts have also pointed to an increase in phishing and business email compromise (BEC) schemes disguised as supply chain emails for personal protective equipment. 

What’s more, the size of the organization and budget did not equate to better security performance. Researchers found that in some situations larger organizations performed worse than smaller healthcare provider organizations or to those investing less in security. 

The data showed that for some, the decline in performance was caused by consolidation where systems directly connected to newly acquired hospitals without first ensuring their security posture or conducting a risk assessment. 

CynergisTek President Caleb Barrlow noted that although healthcare organizations continue to enhance and improve cybersecurity programs on an annual basis, the challenge is that providers are just “not investing fast enough relative to an innovative and well-resourced adversary.”  

“These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system,” Barlow said in a statement. 

READ MORE: Inadequate Security, Policies Led to LifeLabs Data Breach of 15M Patients

Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores,” he added. 

And at least 79 percent of the assessed facilities scored less than a “C” in terms of conformance with the NIST CF, as was reported in 2018, as well. In 2017, just 15 percent performed at or above those levels. 

The report also noted that it appears as if the industry may be focused too much on receiving high marks, rather than actually reducing risk to the enterprise. Notably, just 103 of the 300 assessed organizations completed a risk assessment that year.

Overall, assisted living facilities best conformed with the NIST CF at 96 percent in 2019 and an average of 92 percent over the last three years, followed by insurers at 59 percent. 

However, while the three-year average of insurers conforming with NIST CF was 76 percent, the amount declined from 2017’s average of 93 percent conforming with the standard. Notably, ACOs, business associates, and physician groups have also declined in their conformance with NIST over the last three years. 

And physicians' groups were the least likely to conform with NIST standards: 28 percent conformed with NIST CF this year with a three-year average of just 20 percent conforming with the standard. 

“While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging,” David Finn, executive vice president of of Strategic Innovation at CynergisTek, said in a statement. 

“In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” he added. “The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.” 

Researchers stressed that in order for healthcare organizations to improve their security posture, they must prioritize privacy and security with any merger or acquisition and a renewed focus on security across the enterprise. 

Further, investing in security isn’t enough: researchers stressed that security leaders must identify priorities, invest in multi-factor authentication, privileged access management, and on-going workforce security training. 

Lastly, risk assessments are crucial to determine immediate security needs and a plan for future security priorities – it also ensures compliance with HIPAA.