According to a recent study, larger healthcare providers are more inclined to have fully developed, sophisticated cybersecurity defenses, whereas smaller healthcare providers struggle to implement cybersecurity best practices.
KLAS and CHIME conducted the study and examined the responses of about 600 healthcare providers to the 2018 Healthcare’s Most Wanted survey. The study sought to find out if providers were following healthcare cybersecurity best practices.
The Cybersecurity Act of 2015 requires the Department of Health and Human Services (HHS) to have a task group to create guidance for healthcare providers that would help them handle and minimize risks to patient information.
The 405(d) Task Group published the report – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). It provided details of the 10 cybersecurity principles applicable to all sizes of healthcare providers. These principles should be followed to reduce cybersecurity risks to a sensible and acceptable level.
These are the 10 cybersecurity principles:
- Email protection systems
- Medical device security
- Endpoint protection systems
- Access management
- Network management
- Data protection and loss prevention
- Vulnerability management
- Incident response
- Cybersecurity policies
KLAS and CHIME evaluated the survey responses against these 10 principles and discovered that large healthcare providers are doing nicely, having fully developed and superior cybersecurity defenses. Large healthcare providers were proactive and were doing routine vulnerability scans and apps testing, while smaller providers were dependent on penetration tests to detect vulnerabilities.
Large healthcare providers were very likely to have a specialized CISO, board-level committees and governance, BYOD management, and risk management and compliance committees, which were usually not found in smaller companies.
Small healthcare providers were unlikely to utilize multi-factor authentication and network segmentation. These two are important measures for reducing damage in case of the compromise of credentials. Although network access controls were used in practically all surveyed organizations, less than 50% of small providers used network segmentation.
Network segmentation is essential to prevent the propagation of malware internally and to keep hackers from getting complete access to the entire system. Without network segmentation, one compromised device could lead to the compromise of the entire network. Multi-factor authentication is likewise crucial in stopping credentials theft as in a case of phishing attack for instance. Only 50% of of small providers use MFA.
There were a number of good points in the report. Most provider organizations implement email and endpoint security systems, which offer a good level of security against external risks. Security awareness training and phishing email simulations are used to address the risk from phishing. 70% of all healthcare providers performed phishing simulations quarterly.
Medical device security is a concern of providers as an attack can potentially harm patients. The majority of providers include medical device security along with other strong cybersecurity practices in other areas in their cybersecurity plan. Providers also adopt data loss prevention methods, though on-premises DLP solutions delayed the move to use the cloud. Most organizations using DLP solutions backup information physically instead of taking advantage of cloud backup services.
Most providers have developed incident response plans and most have joined in information sharing and analysis of organizations participating in threat sharing. A set up program is important to have a smooth incident response. However, that plan should be tested to ensure it works. Only 50 percent of organizations conduct annual to tests of their incident response plan.
CEO Steven R. Cagle of Clearwater, the sponsor of the report, made a remark about the increasing necessity for organizations to have distinct policies that align their IT, healthcare technology management, information security and procurement teams.
It can be difficult to improve an organization’s cybersecurity posture considering there is too little money and resources available to handle all issues. Cagle recommends doing a comprehensive risk analysis first to determine and assess all risks. Then, develop a risk management plan to prioritize the most critical vulnerabilities.
Large healthcare providers more likely will use risk management software to assist in their process of identifying the highest risks and optimizing the implementation of security controls. This results to lowering risks at cheaper costs.
Read about the KLAS-CHIME study in this published white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?