Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices
A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices.
For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices.
One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data.
The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are reduced to a reasonable and acceptable level.
The principles are:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
KLAS and CHIME assessed the responses against these principles and found large healthcare organizations to be performing well, with mature and sophisticated cybersecurity defenses. Larger healthcare organizations were more proactive and were conducting regular vulnerability scans and application testing, whereas smaller providers were reliant on penetration tests to identify vulnerabilities.
Larger healthcare organizations were more likely to have a dedicated CISO, board-level committees and governance, risk management, compliance committees, and BYOD management, which were often found lacking at smaller organizations.
Smaller providers were less likely to use network segmentation and multi-factor authentication – Two important measures for limiting damage in the event of credentials being compromised. While network access controls had been implemented at virtually all surveyed provider organizations, less than half of smaller providers had implemented network segmentation.
Network segmentation is important for preventing the spread of malware internally and to stop hackers from having full access to the entire network. Without it, a single compromised device could mean the entire network is compromised. Multi-factor authentication is similarly important. In the event of credentials being stolen, in a phishing attack for example, multi-factor authentication should prevent the account from being accessed. Only half of smaller providers had implemented MFA.
There were several positives in the report. Email and endpoint security systems had been implemented at most provider organizations which provide a reasonable level of protection against external threats. The threat from phishing was being addressed through security awareness training and phishing email simulations. 70% of all providers conducted phishing simulations at least every quarter.
Providers are concerned about medical device security and the potential for an attack to cause harm to patients. Most providers have included medical device security in their cybersecurity program, which is supported by strong cybersecurity practices in other areas. Data loss prevention solutions have also been widely adopted, although on-premises DLP solutions have slowed transition to the cloud. Most organizations that use DLP solutions backup data physically rather than using cloud backup services.
Incident response plans have been developed by most providers and most have signed up with information sharing and analysis organizations to participate in threat sharing. It is essential to have a plan in place to ensure a smooth incident response, but that plan must be tested to make sure it works in practice. Only half of organizations conduct an exercise annually to test their incident response plan.
“Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams,” said Steven R. Cagle, CEO of Clearwater, sponsor of the report.
Making improvements to an organization’s cybersecurity posture can be a challenge with too little money and resources often available to address all issues. Consequently, it can be difficult to know where to start. Cagle suggests starting with a comprehensive risk analysis to identify and evaluate all risks. A risk management plan can then be developed to prioritize the most serious vulnerabilities.
Larger healthcare organizations are more likely to use risk management software to support this process and identify the highest risks and optimize deployment of security controls. The result is greater risk reduction for lower costs.
The findings of the KLAS-CHIME study were published in the white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?