Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019.

With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek.

To compile the reportThe State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF conformance. 75% of healthcare organizations improved overall NIST conformance in 2020; however, 64% of healthcare organizations fell short of the 80% NIST conformance level considered to be the passing grade. Most of the improvements made in 2020 were only small.

As the graph below shows, 53 healthcare organizations improved NIST conformance year over year, 32 of those were considerably below the 80th percentile and 17 healthcare organizations saw NIST conformance decline year-over- year.

Year-over-Year Improvements in NIST CSF Conformance. Source: CynergisTek State of Healthcare Privacy and Security Report.

In order to improve resilience to ransomware and other cyberattacks, it is essential for healthcare organizations to improve their security posture. It will not be possible to stay one step ahead of threat actors if organizations do not take steps to improve NIST CSF and HIPAA Security Rule conformance.

While good conformance scores are a good indication of security posture, they do not necessarily reflect the extent to which healthcare organizations have reduced risk. For this year’s report, CynergisTek placed less emphasis on conformance scores and assessed the measures healthcare organizations had taken to identify which core functions of the NIST CSF appeared to be really driving long term security improvements, with the goal of identifying the best opportunities for both short- and long-term success.

The Identity function provides the foundation on which the rest of the core functions are based, but 73% of healthcare organizations were rated low performers in this function. Asset management and supply chain risk management were two of the key areas that need to be addressed. The healthcare supply chain is a universal issue and the weak link in healthcare. Many healthcare organizations struggle to validate whether or not third-party vendors meet specific security requirements. 76% of healthcare organizations failed to secure their supply chains.

The Protect function requires safeguards to be implemented to protect critical infrastructure and data. One of the main areas where organizations were falling short is protection of data using encryption. “An organization’s default for storing protected data of any kind and transmitting it should include encryption – it clearly does not”, explained CynergisTek. High performers achieved 90% conformance for protection of data at rest, whereas the rest of the sector was in the low 30th percentile.

In the Detect function, there was a major difference between high and low performers, but overall there were good levels of implementation; however, to be considered a high performer it is necessary to get the detect function substantially implemented and to ensure there is significant automation of security monitoring.

The Respond function concerns an organization’s ability to quickly implement appropriate activities when a cybersecurity event is detected, and this is an area where significant improvements need to be made. Only the highest performers are actively investigating notifications from detection systems, and only high performers were consistently and substantially mitigating incidents.

The recover function identifies activities required to return to normal operations after a cybersecurity incident. While there were gaps among the high performers, conformance was generally very good, but significant improvements need to be made by low performers. Around two-thirds (66%) of healthcare organizations are underperforming in recovery planning.

CynergisTek identified several aspects of security that healthcare organizations need to focus on over the coming 12 months:

  • Improve automation of security functions
  • Validate technical controls for people and processes
  • Perform exercises and drills at the enterprise level to test all components of the business
  • Secure the supply chain
  • Look beyond the requirements of the HIPAA Rules and further enhance privacy and security measures

The researchers found notable improvements had been made in organizations’ HIPAA privacy programs in 2020, with some healthcare organizations making exceptional progress. However, there is still room for improvement. CynergisTek identified several privacy areas that should be focused on in 2021.

These measures include implementing user access monitoring tools and engaging in proactive rather than reactive monitoring, addressing defective HIPAA authorizations, preventing violations of the Minimum Necessary Rule by defining criteria to limit PHI disclosure, updating insufficient privacy policies and procedures and ensuring the new policies are implemented, and addressing inappropriate Hybrid Entity designations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.