It seems a day doesn't go by without a story about a data breach within a healthcare organization breaking. Within the past few weeks, there have been rafts of healthcare breaches. Last week, a life was lost as when a ransomware attack forced a patient to be diverted from one hospital to another.
It's clear: healthcare organizations worldwide are understaffed when it comes to information security, working with older technology, and are unable to get their environments to the risk posture they need.
Last week, cybersecurity healthcare services provider CynergisTek released its annual report, Moving Forward: Setting the Direction. It's their third such annual report and is based on the risk assessments performed across 300 organizations. This year's report found that just 44% of healthcare providers — hospital and health systems, hospitals, physician practices, ACOs, and Business Associates — met the criteria details within the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF). Some organizations, the report found, actually lost ground.
Interestingly, the report found that just having a bigger budget didn't necessarily mean better security outcomes. Some organizations with bigger budgets performed more poorly than their smaller counterparts who had less to invest.
However, in some cases, the report found that larger organizations slipped because of recent acquisitions where the newly acquired organizations' computing environment had poor security postures. "What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare's focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won't cut it," David Finn, executive vice president, strategic innovation at CynergisTek said. "The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19," he continued.
The report found several factors holding healthcare organizations back from improving their security. They include poor security planning, lack of organizational focus, inadequate reporting structures, inadequate funding, lack of clear priorities and staff.
The report provided the following security remediation plan:
The CynergisTek report is based on the aggregation of results from about 300 security risk assessments performed across provider facilities. The 2019 evaluations were based on the NIST Cyber Security Framework. Additionally, CynergisTek said, all of the subjects of this analysis were also measured against the HIPAA Security Rule.
You can access the report here.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!