- Home
- Hospitals & Providers
- Health systems remain reactive ...
According to a recent study sponsored by eight leading health systems and conducted by Censinet, KLAS Research, and the American Hospital Association, healthcare organizations are still more reactive than proactive when it comes to cybersecurity. The study aimed to evaluate how aligned the industry is with the standards established by the National Institute of Standards and Technology (NIST) and Health Industry Cybersecurity Practices (HICP) guidance. The study found that supply chain risk management had the lowest coverage across NIST functions, while email system protections showed strength in relation to HICP guidance, but medical device security lagged.
Cybersecurity Resilience in Health Systems
- Purpose of the study: to establish actionable benchmarks for cybersecurity resilience and create visibility of the problem despite repeated high-profile attacks
- NIST’s cybersecurity framework outlines five functions: identity, detect, respond, protect, and recover
- Organizations were best prepared in responding to attacks but least able to identify them
- Over 40% of companies are not compliant with NIST response and recovery planning in relation to supply chain risk management providers, as per the study
Email systems, with phishing being the most common path past hospital security, showed the greatest maturity with average covering reaching 84% in relation to HICP guidance. However, medical device security has a long way to go with average coverage barely over 50%. Internet of Medical Things (IoMT), data protection and loss prevention, and network management are all areas where hospitals lack alignment with HICP guidance. While HICP guidance differs based on organizational size, email had the highest protections regardless of size.
Cybersecurity Spending in Health Systems
- Increase in cybersecurity spending in health systems between 2017-2023
- The percentage of total IT expenditure allocated to cybersecurity increased substantially
- Increases in cybersecurity insurance premiums also observed
- Erik Decker, Chief Information Security Officer at Intermountain Health and Chair of the Health Sector Coordinating Council’s Cybersecurity Working Group warns of a hostile landscape and bad actors
- Patient safety is in jeopardy, says Decker in a press release
According to Adam Gale, the CEO of KLAS Research, the innovative initiative represents a significant advancement in shedding light on the state of cybersecurity in the industry, and it is expected to enhance cybersecurity maturity and resilience in all organizations.
The study’s initial phase ran from November 2022 to March 2023 and featured 48 healthcare delivery organizations, with recruitment currently underway for the second phase. As the threat landscape becomes increasingly malicious, the study suggests that healthcare organizations must make appropriate investment decisions to improve their cybersecurity maturity and resilience over the long term, as patient safety is at stake.
Must Read: Hospitals sue HHS for ‘tens of millions of dollars in long-overdue DSH payments