Cybersecurity Readiness: CynergisTek's Leaders Look at the Major Gaps Confronting HIT Leaders | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Cybersecurity Readiness: CynergisTek's Leaders Look at the Major Gaps Confronting HIT Leaders

March 1, 2018
by Mark Hagland
| Reprints
A new report from CynergisTek finds poor preparation across the industry to meet accelerating cyber threats

With data breaches literally becoming an everyday occurrence in healthcare, one of the overarching questions facing healthcare and healthcare IT leaders is how prepared they are for the cybersecurity future facing the healthcare industry.

That overarching question was on the minds of senior executives at the Austin, Tex.-based CynergisTek consulting firm, as they reworked what had been an annual report on cybersecurity threats that had been produced for the past decade by RedSpin, which last year became a part of Auxilio, which then merged with CynergisTek. The annual Breach Report by RedSpin has undergone a reengineering, the result of which was a broader analysis of cybersecurity preparation, published by CynergisTek on Thursday.

In releasing their report on Thursday morning, CynergisTek executives said in an announcement on the consulting firm’s website that “CynergisTek’s 2018 report aggregated ratings from assessments performed in 2017 at hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. across the nation to reveal an average 45 percent conformance with NIST CSF [National Institute of Standards and Technology Cybersecurity Framework] controls. Furthermore, the report revealed that most organizations have opportunities for improvement in all five areas of the Core Elements of the framework including the ability to identify, protect, detect, respond and recover from a variety of cybersecurity incidents. These results highlight the growing need for healthcare organizations to make serious investments in cybersecurity readiness, as cybersecurity has become one of the top business risks facing healthcare today.”

The announcement went on to say that “Additional findings and information from the Improving Readiness: Meeting Cyber Threats report include:

  • Of all organization types, business associates scored the highest overall conformance
  • Out of the five core elements of NIST CSF, organizations had the lowest ratings in detecting potential cybersecurity events
  • The highest ratings were in the Core Elements of response and recovery
  • Academic medical centers had the highest conformance ratings among provider organizations
  • Not surprisingly, larger organizations performed significantly better across the board than smaller organizations
  • Revenue is a less consistent predictor of CSF conformance across all Core Elements
  • More organizations are beginning to treat cyber events as enterprise risk
  • Machine learning and behavioral analytics will play a significant role in helping healthcare organizations improve incident detection
  • Printers, as endpoint devices, present multiple risks to health information
  • Adoption of the NIST CSF can raise the overall level of preparedness and resilience of healthcare organizations

“Hopefully this report can provide a vehicle for the industry to become more aware of the need for greater emphasis and investment in cybersecurity readiness,” Mac McMillan, CEO of CynergisTek,” said in a statement in Thursday morning’s announcement. “Hackers are becoming more sophisticated and we expect to see greater frequency and intensity of cyberattacks in healthcare. The NIST CSF gives healthcare organizations the framework they need to build the resilience that 21st-century healthcare is going to require.”


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Mac McMillan

And, as McMillan wrote in the introduction to the report, “This report presents a sobering analysis of the results of over a hundred assessments, representing hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). It tells us that despite over ten years of regulation there is still considerable room for improvement in cybersecurity. Those same organizations overwhelmingly received passing grades against the HIPAA Security and Privacy Rules when measured for compliance, demonstrating once again that compliance does not equate to security, nor will it protect your health system from a cyber incident,” McMillan wrote.

Further, he wrote, “Everything that we have focused on in the past will not apply going forward. Knowing the bad actors is not possible as the threat has become both ubiquitous and for the most part anonymous. Building fortresses with high walls, gates and moats will not stop the threat in a hyper-connected healthcare organization that is reliant on its affiliates, associates and supply chain to provide care and services. Security will need to use machine learning and artificial intelligence to identify threats and take action. Focusing on the past will have limited value as the threat is changing constantly and more rapidly than ever before. Creating a centralized security team with all of the skills and expertise needed is also an antiquated concept.”

Further, the report’s authors stated, “Looking at all the data, we see an average (mean) of 45 percent conformance with NIST CSF. Assuming that the maximum potential is 100 percent, our average of 45 percent is not a particularly promising sign. While the NIST CSF is only four years old, the HIPAA [Health Insurance Portability and Accountability Act of 1996] Security Rule will turn 13 in 2018 and healthcare is still catching up,” the authors noted.

The report was authored by eight CynergisTek leaders, including CEO McMillan; David Finn, its executive vice president, strategic innovation; Sean Hughes, its executive vice president, managed print services; Jeremy Molnar, its senior vice president, security services; Martin Arvin, vice president, audit strategy; Clyde Hewitt, vice president, security strategy; David Holtzman, vice president, compliance strategies; and John Nye, vice president, cybersecurity strategy.

Just prior to the public release of the report, McMillan and Finn spoke with Healthcare Informatics Editor-in-Chief Mark Hagland, regarding the report’s findings, and the implications of those findings for the road ahead for healthcare leaders around cybersecurity issues. Below are excerpts from that interview.

Can you share a bit about the historical background to the change to this annual report?

Mac McMillan: One of the organizations that became part of the new CynergisTek was RedSpin. And RedSpin had put out an annual threat report for nearly a decade, looking at all the bad things that are happening. And this year, we had the same threat reports that came out last week—the same types of occurrences. So we said, maybe we what need to do is to change the dialogue; instead of cataloguing all the bad things happening and all the threats, because so many people are already doing that, maybe we should focus on what we’re doing it. So we’ve focused on readiness. Other organizations are focusing on how many incidents there have been—ransomware and other malware, etc., etc. But we’re talking about where the industry is in terms of responding to the NIST CSF, and what we need to focus on in order to be better prepared.

Why did you choose to focus so strongly on the NIST CSF?

David Finn: I was on the Health Care Industry Cybersecurity Task Force, which was established by the Department of Health and Human Services in March 2016, per the Cybersecurity Act of 2015, Section 405(c). The Task Force issued its report to Congress, per their deadline, in March 2017; Congress hasn’t done anything yet with that report.

David Finn

In any case, in our work on the Task Force, we looked at a common framework, because to share across a hyper-connected environment across healthcare, it’s important to understand where you are and where others are. And it’s interesting to me that all 16 industries that the federal government had designated as critical, have accepted the NIST framework, with the exception of healthcare. That said, in healthcare, we’ve seen a significant uptake in adoption of NIST; 60 percent of the organizations are using it, HIMSS Analytics found two years ago. Healthcare leaders understand the need for a repeatable way of doing this risk assessment and of continuously updating and monitoring your environment. NIST is a national and international standard, and we believe that healthcare will get there. We looked at business associates, academic medical centers, medical practices, across this framework. NIST gives us a framework that works across sectors.

McMillan: Everyone’s realizing that simply focusing on compliance and on the HIPAA security rule is not sufficient in terms of understanding what we need to do to protect our systems and data, and ultimately, our patients. In fact, we’ve moved 100 percent of our customers to the NIST CSF model. At the same time, we still benchmark them against other frameworks or standards, as part of our assessment of their capabilities—including the HIPAA security rule. And the results on the HIPAA security rule side were much better than on the NIST CSF side. People have pretty much gotten the compliance thing down, but that’s no longer enough.

Finn: As I’ve long said, compliance only protects you if your attacker is an auditor.

You found that only 45 percent of patient care organizations indicated that they were in conformance with the NIST cybersecurity framework (CSF). What are your perspectives on that? Is that a higher figure than you’d actually expected? Lower?

McMillan: That’s not really what that stat says—across organizations, there was a 45-percent level of conformance to meet the minimum requirement for the maturity level you’d need to be at to say that that control is effective. It’s not that 45 percent were compliant with NIST CSF; that was the average conformance level across all customers in terms of basic implementation of the controls.

David: That’s right. And when you look at the average and the median, they were both at 45 percent. But that would indicate that the standard deviation, 26 percent, was pretty broad; and that tells us that some people were very high, while others were low. And so some organizations are very advanced, some are not; but some of the very advanced organizations are connecting to physician practices that may increase their risk. If everyone were at 45, we’d feel better, but this is telling us that we have people who have done very well, but others definitely are not.

Even more worrisome than the 45-percent overall percentage was seeing the 27-percent average of conformance among physician groups. And those responses wouldn’t have been from the smallest physician groups. How dire is the cybersecurity situation for physicians in practice and physician groups, right now?

McMillan: I don’t like to use inflammatory language, but clearly, we should be concerned that we still have a lot of organizations out there that are absolutely missing this, or have very ineffective cybersecurity controls. As David pointed out very correctly, every one of our hospitals is talking about connecting with their communities; and they’ve got 30-40 percent of their supply chain being outside their control, but while being connected to their environment. And we’ll have mobile consumer devices and others creating even greater connectivity. And that ultimately affects the security of everybody. And yes, that is something we ought to be concerned about. And that’s the whole purpose of this report, to say that we’re all only as good as what any of us do. We’re not living in castles anymore.

Finn: I think Mac has summed it up well. It really is about the risk. At the end of the day, it’s about patient care and patient safety; so the Anthems, and Blue Crosses, etc., will grab the headlines when there are data breaches, because of the numbers of people affected. But a one- or two-doc practice in rural Texas gets ransomed, and patients can’t get the care they need, and that’s just as tragic. And [in contrast to data breaches that might impact people in a retailing context, for example], it’s not that you won’t get your Amazon order, it’s that you won’t have access to needed care.

The reality is that physician practices represent a point of extreme cybersecurity vulnerability, correct?

Finn: Yes, we’ve found that size actually does matter in terms of bed size of hospitals, for example. But we also found that revenue was a less reliable indicator. And with NIST, we can’t get Dottie a brand-new DLT system that she can’t manage. But NIST is not necessarily about technologies; it’s about managing the data. NIST—you still have to do something, but it may not be an expensive new technology.

McMillan: In my opinion, that got a little bit lost, meaning that I think next year we’ll have to go a bit further in terms of our analysis, because the revenues or money didn’t seem to be an indicator of how ready an organization was; size was an indicator. But in terms of scores in terms of revenue against their grade, there were some small organizations that did do relatively well. And another factor is the priority or importance that the leadership of the organization puts on cybersecurity, because when you see smaller organizations fund, and focus on, this area, and do well, it’s because leadership has focused on this priority. And when large organizations don’t do well, it’s because leadership was not shown.

What should we do to help physicians, whether their practices are affiliated or owned?

McMillan: I truly think that this industry, because of what’s going on with the threat world, is fast approaching the point where smaller organizations and physician practices are going to have to decide whether they can do it on their own, or whether there needs to be more consolidation in the industry, so that we can do this effectively. Or perhaps there needs to be some other change in the model, where we can provide support to the smaller guy, to give them the leg up in terms of what they need. Size mattered, especially in terms of resources; and the level of threat now is that we need to do something for the little guys.

Finn: How to address small providers was actually addressed in the [Health Care Industry Cybersecurity] Task Force’s report to Congress, including the idea of creating a marketplace for security for providers, so that they could pool resources, and to bring a group together to help these small practices. At the end of the day, a small provider, even a critical-access hospital, can’t really afford to do this. This will change the face of healthcare if we don’t address it; and because of our connectivity, we can’t just not talk to the small doctors and practices, or a home healthcare organization or durable medical provider in our community, so we are going to have to deal with that. The 405D Working Group, a separate step from the task force, is working under the auspices of the CIO at HHS, and they are very close to releasing the first of several reports, with tool sets. And the first one due out in March or April, focuses on small providers, and helps walk you through what you can do if you don’t have big budgets, but are small and are using cloud solutions.

Enterprise risk management is an important concept, and one mentioned in your report. Can you share your perspectives on that concept? What does it mean to you?

McMillan: Cyber risk is just another business risk that organizations have. It’s no different from medical malpractice liability or financial risk or whatever. And organizations need to start thinking about it that way, and no longer as an IT issue or a security issue. We live and work in an environment today in healthcare, where information is critical to what we do. So the thought that we can somehow not treat our information as a critical business asset, is just nonsense.

Finn: That’s absolutely correct. And I can tell you that, from the perspective of a CIO at a large integrated delivery network. We tended to see those silos around who was responsible for what. We’re starting to see GRC—governance risk and compliance—migrate into the private sector from the government sector. And we’ll add governance to next year’s report, because governance is key within the NIST framework, but they don’t have specific scoring yet. But when you started to look at integrated GRC, you see that the risks are about the data, including around availability. And that might not even be an IT issue; maybe the electricity is out.

And it also becomes an issue of confidentiality. Maybe someone printed out face sheets and they’re sitting around the office. So it’s a data issue. Data permeates everything, and if you’re not going to address this at that level, you’re going to miss those risks. One of the things I “loved” in this report was the fact that most organizations have seen an 11-percent increase in printed paper since EHR implementation. And we’ve neglected the fact that we’ve implemented EHRs, but we’re still printing things out. So you have to look at things holistically. I just did a report to a group where they had not integrated their physical and IT security. IT had done a good job, but there were physical risks.

What would your advice be to CIOs, CISOs, and all other healthcare IT leaders?

Finn: I’ve been saying it for many years: the issue is that CIOs and CISOs have got to stop talking technology with the non-IT people. The non-IT people don’t really care about the technology; they just expect it to be there, and for it to work. We have to talk business issues with the business people. If someone got surgery on the wrong side, then we’re in trouble. But if the wrong-site surgery took place because someone went in and maliciously altered the data in the EHR [electronic health record], then that’s an issue. We have to focus on the patients. We don’t leave patients sitting in parking lots, yet we’ll leave data sitting out in public view; and we don’t send patients to the wrong clinic. We’ve got to take that same level of care with the data. And part of that is telling the story from a business perspective, not from an IT perspective.



The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Anthem Agrees to Record Payment—$16M—for Largest U.S. Health Data Breach

October 16, 2018
by Heather Landi, Associate Editor
| Reprints

Anthem, Inc., the second largest health insurance company in the U.S., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations in the largest U.S. health data breach in history.

In early 2015, Anthem, based in Indianapolis, was hit with a series of cyberattacks that led to an unprecedented health data breach that exposed the electronic protected health information (PHI) of almost 79 million people.

The $16 million settlement is a record HIPAA settlement that eclipses the previous high of $5.55 million paid to OCR in 2016, according to a press release from OCR. As part of the settlement, Anthem also agreed to take substantial corrective action.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

As reported by Healthcare Informatics Feb. 5, 2015, the payer announced details of the breach late Wednesday (Feb. 4) in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.”

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

According to OCR, the agency’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” according to the OCR press release.

In the Healthcare Informatics story at the time of the breach, reported by Gabriel Perna, Anthem faced criticism from industry observers for its lack of encryption. Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, said, at the time, that the company was irresponsible for not protecting the data.

“We do not know what they were after and we do not know what they plan to do with the data—what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves,” he said in a statement that was quoted in the story. “It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in—they will always build a taller ladder to climb over your perimeter security - we must protect the data itself.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan can be accessed here.


More From Healthcare Informatics


Minnesota DHS Acknowledges Increase in Targeted Phishing Attacks

October 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Two phishing attacks on employees at the Minnesota Department of Human Services (DHS) resulted in the possible leakage of about 21,000 Minnesotans’ personal information.

The state health agency issued a notice last week that explained over the last several months, several phishing campaigns have targeted Minnesota’s executive agencies, including DHS. Two of these attacks were deemed “successful,” in that hackers—once in June and another time in July—were able to gain access to the state email accounts of two DHS employees, using these accounts to send out spam emails. The agency’s IT department didn’t find out about the attacks until August, officials said.

According to DHS, the two email accounts contained information about some people who have interacted with DHS, including the Minnesota citizens who were notified. Examples of the type of information found in the email accounts at the time they were compromised include: first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information, officials noted.

The agency did add in its notice, “We currently have no evidence that this information was actually viewed, downloaded, or misused.”

According to a report in the Minnesota Star Tribune, this is just the latest cyberattack on Minnesota’s state agencies, “which fend off about 3 million hacking attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies,” according to that report.

In fact, in just the past nine months, “more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming ‘more pervasive and more sophisticated,’” according to the Star Tribune report.

Related Insights For: Cybersecurity


CISOs, CIOs Not Confident in Their Medical Device Security Strategy, New KLAS Research Finds

October 9, 2018
by Heather Landi, Associate Editor
| Reprints
According to a survey of CIOs and CISOs, healthcare organizations have an average of 10,000 connected medical devices
Click To View Gallery

The healthcare industry continues to be bombarded with security attacks, and these cyber attacks are continuously evolving and become more sophisticated over time. At the same time, the healthcare ecosystem has become more connected with the increasing use of Internet of Things (IoT) medical devices, and these medical devices introduce vulnerabilities into healthcare organizations.

Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked, while also posing a threat to the security and privacy of patients’ protected health information (PHI). A recent medical device security report, the result of a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), and the Orem, Utah-based KLAS Research, sheds light on the current state of the medical device security industry. For the report, KLAS interviewed 148 CIOs, chief information security officers (CISOs), chief technology officers (CTOs) and other professionals at provider organizations to gauge their level of confidence in their medical device security strategies, the most common challenges they face, their perceptions of the security and transparency of major medical device manufacturers, and the best practices they leverage to overcome medical device security challenges.

The author of the report, Dan Czech, director, market analysis, cybersecurity at KLAS Research, will provide an in-depth overview of this report and medical device security trends during Healthcare Informatics’ Seattle Health IT Summit Oct. 22-23 at the Grand Hyatt Seattle.

The sheer number of connected medical devices that the average healthcare provider is trying to manage speaks to the tremendous challenge IT security leaders face, says Czech. “We spoke to organizations ranging from small to mid-sized clinics all the way to large multi-hospital IDNs (integrated delivery networks), and everyone in between, and the average number of connected medical devices was just under 10,000 medical devices. You think of the enormity of that problem, for an organization to wrap their arms around the problem of managing 10,000 devices,” he says.

What’s more, respondents reported that, among the thousands of connected medical devices that their organizations are managing, about one-third (33 percent) of those devices are “unpatchable.”


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

According to the research, 18 percent of provider organizations had medical devices impacted by malware or ransomware in the last 18 months, although few of these incidents resulted in compromised PHI or an audit by the Office for Civil Rights, U.S. Department of Health and Human Services (HHS OCR).

Czech notes that there have not been any patient safety events, to date, as a result of a medical device security issue; however, respondents cite patient safety as a top concern. “Let’s take an infusion pump,” he says. “The ability for a bad actor to gain access to that pump and change the dosage of the medication that’s being injected into a human, that is the kind of patient safety issue that we are concerned about.”

Czech continues, “Another way medical device security affects patient safety is if a device is on Windows XP, and WannaCry ransomware hits; if something like that happens, that device is taken out of production. You may have an oncology patient who needs consistent treatment with a medical device, and if you take that out of production, it disrupts patient care and impacts patient safety.”

The report found that most respondents are either neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. Only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care. Thirty-one percent said they were unconfident or very unconfident, and another 30 percent were neutral. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.

Those healthcare leaders who expressed confidence most often point to their security processes and policies, including access limitations, network segmentation and regular device monitoring and risk assessment, as the source of their confidence, followed by strong technology. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies, according to the report.

“Respondents who report they are more confident also are those that have a clear line of ownership, not a shared responsibility,” Czech notes.

Those respondents that lacked confidence in their medical device security cited lack of manufacturer support as the top reason. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to. “Asset and inventory visibility is the basic blocking and tackling of medical device security strategy—you can’t protect what you don’t know. They are looking for tools and processes that they can put in place that will help them understand all the devices they have, what’s connected to their networks, and some cases, what software is on the devices” Czech says.

What’s more, 76 percent of provider organizations report that their resources are insufficient or too strained to adequately secure their medical devices.

More Manufacturer Support and Collaboration Needed

Taking a deep dive into the root causes of medical device security struggles, the report finds that interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. Most provider organization see this issue as one of shared responsibility. As one CISO explained in the report, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”

According to Czech, the research findings indicate there is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations (93 percent) have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves, or void warranties if they do.

Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security.

However, the industry is beginning to shift, Czech notes. "Many provider organizations have drawn a line in the sand to say all contracts now and going forward will include standardized security contract language," he says. "This trend has been led by forward-thinking provider organizations and it also has benefited smaller organizations that may not have the legal teams or the cybersecurity teams that bigger organizations have, but they can use that standardized language in their contracts as well."

What’s interesting, Czech notes, is that many respondents spontaneously brought up frustrations regarding the role of the U.S. Food and Drug Administration (FDA) in medical device security, though KLAS did not specifically ask respondents about it. “It gets back to shared responsibility,” he says. “Respondents feel that manufacturers have a stake in this, they have a stake in this, but so does the FDA. Predominantly, the concern that they shared was that their manufacturer would hide behind their perceptions of the FDA regulations."

Almost two-thirds of respondents said manufacturers blame FDA policies, claiming the policies prevent them from making devices more secure. About a third said FDA policies are unclear, giving manufacturers ways to skirt around responsibility and a third said that even when policies are clear, the FDA doesn’t hold manufacturers accountable, according to the report.

Cybersecurity Programs Advancing Forward

According to the research, organizations are increasingly adopting a number of best practices to strengthen medical device security. There are foundational best practices that organization should implement, such as performing risk assessments, ensuring the inclusion of security provisions in their contracts, and ensuring they receive a software bill of materials, Czech notes. Organizations also report using the most common and basic defense techniques such as network segmentation, antivirus software, and vulnerability scanning to ameliorate security risk.

With regards to organizations’ patching strategies, many provider organizations have begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.

Providers also are leveraging third-party solutions to improve medical device security, with nearly 75 percent of respondents currently using or planning to use third-party software or services, according to the report. Network access control (NAC) is most often used to segment networks and approve/deny access. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering as well.

Looking at overall cybersecurity trends, the report indicates that organizations are investing more resources, both operationally and financially, in their cybersecurity programs. Almost 70 percent of organizations (68 percent) report having a VP or C-level leader in charge of the security program, and that’s up from only 42 percent in 2017, representing a 26-percent increase.

“Large IDNs are definitely leading the way with CISO leadership, as about 80 percent of their organizations have a CISO in charge, whereas if you look at clinics and community hospitals, those would be hospitals under 200 beds, only less than 10 percent have a CISO in charge,” Czech says. “Many of those smaller organizations have a CIO that wears two hats—an IT hat and a security hat.”

Organizations also reported improvements to security programs compared to a year ago. Twenty-seven percent considered their security programs to be fully functional and 47 percent said they were developed or starting to function in 2018, compared to 16 percent and 41 percent, respectively, in 2017.   

More than half of organizations (57 percent) report that security is an agenda item at board meetings monthly or quarterly. In addition, 83 percent of organizations have increased their security budget in the last two years, and, on average, budgets increased by 85 percent, according to the report.


See more on Cybersecurity