How far have patient care organizations really gotten in terms of evolving forward their cybersecurity strategies? A report collectively produced by Censinet, KLAS Research, the American Hospital Association, Health-IASAC, and the Healthcare and Public Health Sector Coordinating Council, is providing a snapshot.
“Current and Emerging Healthcare Cyber Threat Landscape: Executive Summary for CISOs,” was published on Feb. 29. The report begins thus: “With cyberattacks on the rise, having a strong cybersecurity strategy is a must for healthcare organizations, especially as they face post-pandemic resource constraints and staffing shortages. Many are protecting their data by adopting and implementing cybersecurity frameworks and best practices, such as the NIST Cybersecurity Framework (NIST CSF) and the Health Industry Cybersecurity Practices (HICP). NIST CSF and HICP are accessible resources for healthcare organizations, and high NIST CSF and HICP coverage is a strong indication of cybersecurity preparedness. This report—a collaboration between Censinet, KLAS, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council—provides an update to previous research on the status of healthcare cybersecurity preparedness. It also examines the effect of governance and resource investment on cybersecurity preparedness and insurance premiums. Data for this report comes from 58 respondents (54 payer or provider organizations and 4 healthcare vendors) who were interviewed September–December 2023.”
An absolutely key question: which cybersecurity frameworks and guidelines have patient care organizations implemented? They are as follows (most have implemented more than one)? NIST CSF, 57 percent; CIS Controls, 29 percent; HICP, 29 percent; HITRUST, 14 percent; NIST CSF (not used as the primary cybersecurity framework): 14 percent; ISO/IEC 27001, 10 percent; SOC 2, 9 percent; ISO/IEC 27002, 5 percent; CMMC, 3 percent; other frameworks/guidelines, 22 percent; no frameworks/guidelines, 10 percent.
Asked about their coverage across their organizations along various dimensions, the following were the results with regard to maturity with NIST CSF functions: “identify,” 65 percent; “protect,” 70 percent; “detect,” 70 percent; “respond,” 75 percent; “recover,” 69 percent;
When it comes to maturity with HICP functions, the survey found the following results: “email protection systems,” 84 percent; “cybersecurity oversight and governance,” 83 percent; “access management,” 79 percent; “vulnerability management,” 77 percent; ‘Incident response,” 71 percent; “asset management,” 70 percent; “endpoint protection systems,” 69 percent; “network management,” 67 percent; “data protection and loss prevention,” 60 percent; and “medical device security,” 50 percent.
Importantly, the report notes, “On average, respondent organizations who adopt NIST CSF have lower year-over-year increases to their cybersecurity insurance premiums. In particular, those using NIST CSF as their primary cybersecurity framework report premium increases one-third the percentage reported by non-NIST CSF organizations. Higher coverage within the NIST CSF categories related to cyber resiliency is especially correlated with lower increases in cybersecurity premiums. Focusing on these areas helps organizations mitigate the impact of breaches on patient care and safety and maintain business continuity.”