With data breaches literally becoming an everyday occurrence in healthcare, one of the overarching questions facing healthcare and healthcare IT leaders is how prepared they are for the cybersecurity future facing the healthcare industry.
That overarching question was on the minds of senior executives at the Austin, Tex.-based CynergisTek consulting firm, as they reworked what had been an annual report on cybersecurity threats that had been produced for the past decade by RedSpin, which last year became a part of Auxilio, which then merged with CynergisTek. The annual Breach Report by RedSpin has undergone a reengineering, the result of which was a broader analysis of cybersecurity preparation, published by CynergisTek on Thursday.
In releasing their report on Thursday morning, CynergisTek executives said in an announcement on the consulting firm’s website that “CynergisTek’s 2018 report aggregated ratings from assessments performed in 2017 at hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. across the nation to reveal an average 45 percent conformance with NIST CSF [National Institute of Standards and Technology Cybersecurity Framework] controls. Furthermore, the report revealed that most organizations have opportunities for improvement in all five areas of the Core Elements of the framework including the ability to identify, protect, detect, respond and recover from a variety of cybersecurity incidents. These results highlight the growing need for healthcare organizations to make serious investments in cybersecurity readiness, as cybersecurity has become one of the top business risks facing healthcare today.”
The announcement went on to say that “Additional findings and information from the Improving Readiness: Meeting Cyber Threats report include:
- Of all organization types, business associates scored the highest overall conformance
- Out of the five core elements of NIST CSF, organizations had the lowest ratings in detecting potential cybersecurity events
- The highest ratings were in the Core Elements of response and recovery
- Academic medical centers had the highest conformance ratings among provider organizations
- Not surprisingly, larger organizations performed significantly better across the board than smaller organizations
- Revenue is a less consistent predictor of CSF conformance across all Core Elements
- More organizations are beginning to treat cyber events as enterprise risk
- Machine learning and behavioral analytics will play a significant role in helping healthcare organizations improve incident detection
- Printers, as endpoint devices, present multiple risks to health information
- Adoption of the NIST CSF can raise the overall level of preparedness and resilience of healthcare organizations
“Hopefully this report can provide a vehicle for the industry to become more aware of the need for greater emphasis and investment in cybersecurity readiness,” Mac McMillan, CEO of CynergisTek,” said in a statement in Thursday morning’s announcement. “Hackers are becoming more sophisticated and we expect to see greater frequency and intensity of cyberattacks in healthcare. The NIST CSF gives healthcare organizations the framework they need to build the resilience that 21st-century healthcare is going to require.”
And, as McMillan wrote in the introduction to the report, “This report presents a sobering analysis of the results of over a hundred assessments, representing hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). It tells us that despite over ten years of regulation there is still considerable room for improvement in cybersecurity. Those same organizations overwhelmingly received passing grades against the HIPAA Security and Privacy Rules when measured for compliance, demonstrating once again that compliance does not equate to security, nor will it protect your health system from a cyber incident,” McMillan wrote.
Further, he wrote, “Everything that we have focused on in the past will not apply going forward. Knowing the bad actors is not possible as the threat has become both ubiquitous and for the most part anonymous. Building fortresses with high walls, gates and moats will not stop the threat in a hyper-connected healthcare organization that is reliant on its affiliates, associates and supply chain to provide care and services. Security will need to use machine learning and artificial intelligence to identify threats and take action. Focusing on the past will have limited value as the threat is changing constantly and more rapidly than ever before. Creating a centralized security team with all of the skills and expertise needed is also an antiquated concept.”
Further, the report’s authors stated, “Looking at all the data, we see an average (mean) of 45 percent conformance with NIST CSF. Assuming that the maximum potential is 100 percent, our average of 45 percent is not a particularly promising sign. While the NIST CSF is only four years old, the HIPAA [Health Insurance Portability and Accountability Act of 1996] Security Rule will turn 13 in 2018 and healthcare is still catching up,” the authors noted.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.