• American Hospital Association
• Censinet
• CHIME
• cyber threat mitigation strategies
• Cybersecurity investment
• Data privacy
• Email protection
• Health Industry Cybersecurity Practices (HICP)
• Healthcare cybersecurity
• KLAS Research
• Medical device security
• NIST
• NIST Cybersecurity Framework (NIST CSF)
• Risk management
• Supply Chain Risks

The long road ahead from reactive to proactive in cybersecurity

The recently published Healthcare Cybersecurity Benchmarking Study gives some significant insights into the current state of cybersecurity preparedness of healthcare organizations. Produced through the joint efforts of KLAS, Censinet and the American Hospital Association, the study highlights not only where these organizations stand but also potential areas where they can improve.

The study consists of feedback from 48 participating organizations. The questions we asked these organizations were designed to align with NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP) guidelines. NIST CSF focuses on the things any industry should prepare for in terms of cybersecurity, while HICP gives guidelines specifically designed for healthcare organizations. Both perspectives are crucial to addressing the challenges of cybersecurity.

NIST guidance and supply chain risks

The first section of the report addresses the following five NIST functions: Identify, Protect, Detect, Respond and Recover.

Identify covers organizations proactively identifying their potential risks. As we reviewed the data, it became clear that organizations are mostly reactive rather than proactive when it comes to managing cyberthreats.

Of the five function areas, Respond scored the highest, with 74 percent of organizations reporting maturity, while Identify scored the lowest, mentioned by 65 percent. This means that organizations tend to be good at setting up analysis or governance structures, and they have a general sense of how to respond to, analyze and mitigate risks when they come up.

But many organizations are lacking in some areas when it comes to identifying the potential issues, especially in supply chain risk management and asset management. When it comes to supply chain risk management, we see that organizations on average have less than 50 percent coverage.

With all the things healthcare organizations already face on a day-to-day basis, actively monitoring the supply chain risk is likely not high on anyone’s priority list. Keeping track of the risk from hundreds or even thousands of third parties – like payroll platforms, pharmaceutical companies or smart printers – is no small task. The benefits of being proactive in this area make the effort worth it. Though many factors go into insurance premium increases, organizations that report higher coverage of supply chain risk management are more likely to report lower year-to-year increases in their cybersecurity insurance premiums, and those that report lower coverage are more likely to report higher increases.

Findings from HICP guidelines

HICP guidelines vary depending on the size of an organization, but regardless of size, most organizations report that they have the highest coverage around email protection. In fact, more than half of participating organizations report that they have 100 percent coverage in most metrics under this area.

By comparison, a lot of work remains to be done with medical device security. The average coverage of medical devices is slightly more than 50 percent.

In the report, we suggest that ownership by information security leadership can make a difference in coverage of both medical devices and networks. We see that when information security leadership has 100 percent ownership of medical devices, the coverage of medical-device security is 18 percentage points more than organizations with no ownership (63 percent vs. 45 percent). Organizations looking to step up their game in this area should look to establish clearer governance and structure to better define who is responsible for managing risk.

Approaching the future

As the saying goes, prevention is better than cure, and it seems that organizations are starting to take this to heart when it comes to cybersecurity. After all, no one wants to be caught in the middle of a PR disaster because of a cyberattack.

And when attacks do happen, it's clear from the data that Recover, the final step in the NIST framework, while not the lowest, does still score lower. But as healthcare organizations work on these guidelines – particularly where they are weak now, that step is only likely to improve.

Over the last few years, the market has made advances in cybersecurity. For example, KLAS and CHIME published a white paper on cybersecurity in 2017. While not a strict comparison of the same organizations, they found that IT expenditure on cybersecurity was much lower than it is today. In 2017, 41 percent of the organizations spent less than 3 percent of their IT expenditure on cybersecurity, while 18 percent spent more than 7 percent of their IT expenditure.

Now, 47 percent of organizations are spending more than 7 percent of IT budget, while 13 percent spend less than 3 percent of that budget. Of course, there is a limit to how much organizations can realistically invest in cybersecurity. However, it's clear that this is an area that will continue to demand attention and resources in the years to come.

Ruirui Sun is an insights director at KLAS Research. Her areas of focus include cybersecurity and payer solutions. She can be reached at ruirui.sun@klasresearch.com.