A new healthcare cybersecurity study produced some interesting findings this week in its assessment of best practices and key performance indicators, such as use of the NIST Cybersecurity Framework and 405(d) Health Industry Cybersecurity Practices.
WHY IT MATTERS
In the 405(d) noticeEd Gaudet, CEO and founder of Censinet, summarized five insights from the first wave of the study, which he noted were included in the US Health and Human Services Hospital Cyber Resilience Landscape Analysis released in April, along with HICP 2023 and a new healthcare system employee. cybersecurity tools.
The Healthcare Cybersecurity Benchmarking Study, conducted by Censinet, KLAS Research and the American Hospital Association, aims to establish robust, trusted and actionable peer benchmarks to help healthcare organizations strengthen cybersecurity maturity and resilience.
According to Gaudet, peer benchmarking is an invaluable tool that helps organizations identify, assess and mitigate corporate cybersecurity risks. For the study that began in late 2022, the researchers will look at how organizations are adhering to various cybersecurity frameworks, best practices and protocols to better understand where they are largely making progress, what some of the delays are and where they have more to do .
“We are looking at how prepared these organizations are to combat the adversaries who are clearly trying to plague and attack our healthcare system,” Gaudet said. Healthcare IT news at HIMSS23 in April, when infosec leaders gathered for a preconference on healthcare cybersecurity.
The information coming in from across the industry confirms that the healthcare industry is more reactive than proactive and is ready to respond to cyber attacks, Gaudet said in summarizing early indications from the benchmark study for the latest 405(d) newsletter.
“The healthcare industry is currently better positioned to respond to security incidents than to identify (and mitigate) cyber threats before they become incidents,” Gaudet wrote.
Of all five NIST CSF functions, “responsive” was ranked highest.
A second area he says healthcare organizations need to pay close attention to is supply chain risk management: Healthcare maturity across all 23 NIST CSF categories ranks last.
Those healthcare organizations that have greater maturity in third-party risk assessment see lower annual increases in cyber insurance premiums.
“It’s kind of unbelievable,” Gaudet noted in April when this information came through.
“So if you had a mature third-party program, you wouldn’t get these huge premium increases for cyber insurance. We think there’s a lot to offer,” he had said.
However, researchers are also finding that there is a wide disparity in how organizations apply HICP across the ten best practice areas, Gaudet said. While email security ranks highest in adoption, medical device security ranks last.
“With 10 to 15 networked medical devices per bed, and the Internet-of-Medical-Things market growing rapidly, this will certainly be a key area of focus for biomedical leaders and (chief information security officers) alike – especially with ransomware groups which now pose a direct threat to patient care and safety,” he said.
In fact, the correlation between CISO program ownership and HICP adoption for medical device security is statistically significant, Gaudet said.
When the CISO office was responsible for medical device security, HICP coverage increased from 45% without ownership to 63% with full ownership.
THE BIG TREND
Collaboration across the sector is crucial as cybercrime-as-a-service is on the rise.
Gaudet and others are calling for Meaningful Protection, a legislative proposal that would model a federal cybersecurity investment program after one designed to increase the use of electronic health records.
“To truly transform healthcare cybersecurity, the U.S. government should consider modeling a cybersecurity investment program after meaningful use – namely the ‘meaningful protection’ of patient safety, data, and care delivery operations achieved through a combination of incentives and penalties in over time.” Gaudet prescribed Forbes on strategies and next steps to protect healthcare organizations from ransomware and other disruptions from cyber attacks.
ON THE RECORD
“By comparing the performance and maturity of cybersecurity programs against peer organizations, IT/security teams can identify where critical security gaps currently exist, prioritize the allocation of scarce resources, and help justify future cybersecurity investments to their boards to improve overall business more resilient – and safer for patients,” Gaudet said in the 405(d) newsletter.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.