A brand new healthcare cybersecurity examine this week supplied some fascinating findings in its evaluation benchmarking greatest practices and key efficiency indicators, resembling use of the NIST Cybersecurity Framework and 405(d) Well being Business Cybersecurity Practices.
WHY IT MATTERS
Within the 405(d) PostEd Gaudet, CEO and founding father of Censinet, summarized 5 insights from the examine’s first wave, insights which he famous had been included within the U.S. Well being and Human Companies Hospital Cyber Resilience Landscape Analysis launched in April, together with HICP 2023 and new well being system worker cybersecurity assets.
The Healthcare Cybersecurity Benchmarking Research, coled by Censinet, KLAS Analysis and the American Hospital Affiliation, goals to ascertain strong, trusted and actionable peer benchmarks to assist healthcare organizations strengthen cybersecurity maturity and resiliency.
Peer benchmarking, Gaudet mentioned, is a useful device, serving to organizations establish, assess and mitigate enterprise cybersecurity dangers. For the examine that started on the shut of 2022, the researchers are taking a look at how organizations are cleaving to the assorted cybersecurity frameworks, greatest practices and protocols to higher perceive the place they’re largely making progress, what among the hold-ups are and the place they’ve extra to do.
“We’re looking at how prepared these organizations are to combat the adversaries that are obviously trying to plague and attack our health system,” Gaudet instructed Healthcare IT Information at HIMSS23 in April when infosec leaders convened for a healthcare cybersecurity preconference.
The knowledge coming in from throughout the sector confirms that the healthcare trade is extra reactive than proactive, and is poised on response to cyberattacks, Gaudet mentioned within the abstract of the benchmarking examine’s early indications for the most recent 405(d) publication.
“The healthcare industry currently is better positioned to respond to security incidents versus identifying (and mitigating) cyber threats before they become incidents,” Gaudet wrote.
Throughout all 5 NIST CSF capabilities “reply” was ranked highest.
A second space he mentioned healthcare supply organizations ought to pay shut consideration to is provide chain threat administration – healthcare maturity throughout all 23 NIST CSF classes is ranked final.
The healthcare organizations which have a higher third-party threat evaluation maturity are discovering decrease annual will increase in cyber insurance coverage premiums.
“It’s kind of incredible,” Gaudet remarked in April as this info was coming in.
“So, if you had a mature third-party program, you weren’t getting these huge cyberinsurance premium increases. We think there is a lot there to impart,” he had mentioned.
Nevertheless, researchers are additionally discovering that there’s a vast disparity in how organizations are making use of HICP throughout the ten greatest follow areas, Gaudet mentioned. Whereas e-mail protections ranked highest in adoption, medical system safety ranked final.
“With 10-15 network-connected medical devices per bed, and the market for Internet-of-Medical-Things growing rapidly, this will certainly be a key focus area for both biomed leaders and [chief information security officers] – especially with ransomware groups now directly threatening patient care and safety,” he mentioned.
Actually, the correlation between CISO program possession and HICP adoption for medical system safety is statistically vital, Gaudet mentioned.
When the CISO’s workplace owned duty for medical system safety, HICP protection elevated from 45% with no possession to 63% with full possession.
THE LARGER TREND
Collaboration throughout the trade is vital with cybercrime-as-a-service on the rise.
Gaudet and others advocate for Meaningful Protectiona legislative proposal that may mannequin a federal cybersecurity funding program after one created to extend the use digital well being information.
“To truly transform cybersecurity in healthcare, the U.S. government must consider modeling a cybersecurity investment program after Meaningful Use – namely, the ‘meaningful protection’ of patient safety, data and care delivery operations realized through a combination of incentives and penalties over time,” Gaudet wrote for Forbes about methods and subsequent steps to guard healthcare organizations from ransomware and different cyberattack disruptions.
ON THE RECORD
“By comparing cybersecurity program performance and maturity to peer organizations, IT/Security teams can identify where critical gaps in security exist today, prioritize allocation of scarce resources and help justify future investment in cybersecurity to their boards to make the overall enterprise more resilient – and safer for patients,” Gaudet mentioned within the 405(d) publication.
Andrea Fox is senior editor of Healthcare IT Information.
E-mail: afox@himss.org
Healthcare IT Information is a HIMSS Media publication.
Creator: AFox
Date: 2023-09-15 14:00:00
