Higher NIST CSF and HCIP Coverage Linked with Lower Cyber Insurance Premium Growth
Adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) improves resilience to cyberattacks and the reduced risk is reflected in cyber insurance premiums. A recent Healthcare Cybersecurity Benchmarking Study has confirmed that healthcare organizations that have adopted the NIST CSF had lower annual increases in their cyber insurance premiums than healthcare organizations that have not adopted the NIST CSF.
The study was the result of a collaboration between Censinet, KLAS Research, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council and was conducted on 54 payer and provider organizations and 4 healthcare vendors in Q4, 2023. Adoption of the NIST CSF indicates a higher level of preparedness and resiliency and therefore lower risk for insurers. Healthcare organizations that use the NIST CSF as their primary cybersecurity framework report premium increases of one-third (6%) of the percentage reported by organizations that have not adopted the NIST CSF (18%).
The report assesses cybersecurity coverage, specifically coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and reveals little has changed in the past 12 months with average NIST CSF coverage increasing from 69% in 2023 to 72% in 2024, and average HICP coverage increasing from 71% in 2023 to 73% in 2024. Average coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – ranged from 65% to 75%, with the lowest coverage in the identify function and the highest in the respond function. This indicates most healthcare organizations that participated in the study were generally more reactive than proactive in their approach to cybersecurity. Out of all categories within the NIST CSF, supply chain risk management (identity) had the lowest coverage, which is concerning given the number of third-party data breaches in healthcare. The study revealed this to be a key consideration for insurers when setting premium increases. Higher coverage of supply chain risk management was associated with smaller increases in cyber insurance premiums.
Average HCIP coverage was better, with most organizations having email protection systems (84%) in place and cybersecurity oversight and governance (83%), but there was only 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery organizations also participated in last year’s benchmarking study and their average NIST CSF and HCIP coverage was higher than other provider and payer organizations. Those repeat organizations also had lower increases in their cyber insurance premiums than other healthcare organizations, on average.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The benchmarking studies have confirmed that high program ownership by information security leaders leads to higher cybersecurity coverage. Across all organizations, average NIST CSF and HICP coverage was between 71% and 72%, but organizations that assign information security leaders higher percentages of program ownership achieved above-average cybersecurity coverage, especially in the HCIP areas of endpoint protection systems and data loss and loss prevention.
“For the second year in a row, the Benchmarking Study sets the highest standard for collaborative, impartial, and transparent insight into the current state of the health sector’s cyber maturity, and, more importantly, enables providers and payers to make more informed investment decisions to close critical gaps in controls and elevate overall cybersecurity program preparedness,” said Steve Low, President of KLAS Research.
“With comprehensive benchmarks across ‘recognized security practices’ like NIST CSF and HICP, the Benchmarking Study will drive greater, more enduring cybersecurity maturity and resilience across both our Health-ISAC member community and the broader health sector,” said Errol Weiss, Chief Security Officer of Health-ISAC.
