Adoption of Security Best Practices: A Status ReportNew Study Sizes Up Healthcare Organizations' Efforts to Battle Cyberthreats
Are healthcare organizations becoming better prepared to battle evolving cyberthreats?
A new study by the College of Healthcare Information Management Executives and healthcare IT research firm KLAS offers an interesting assessment of preparedness.
Medical device security remains a top concern for organizations, especially as they weigh patient safety risks.
The study examined responses from 649 small, midsized and large healthcare entities regarding their adoption of 10 cybersecurity best practices recommended in a report issued late last year by the Department of Health and Human Services (see: HHS Publishes Guide to Cybersecurity Best Practices).
The report, "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," was the culmination of a two-year effort involving more than 150 cybersecurity and healthcare experts. The Cybersecurity Information Sharing Act of 2015 had mandated that HHS develop practical cybersecurity guidelines.
A Status Report
According to the CHIME/KLAS study, here's where healthcare entities of various sizes stand in their adoption of several key best practices:
Endpoint Protection: Regardless of size, most organizations say they have deployed some type of email and endpoint protection systems. That includes email filtering systems and endpoint encryption. But larger organizations - including hospitals with more than 300 beds - are further ahead in their deployment of more mature practices and technologies, such as digital signatures to verify that emails come from trusted sources and have not been manipulated in transmission, as well as mobile device management systems.
Identity and Access Management: Many organizations say they are transitioning from homegrown identity and access management solutions to commercial solutions to support their identity policies. More than 80 percent of surveyed organizations say they have implemented single sign-on solutions to enable quick and easy access to multiple systems with a single login. Small organizations - those hospitals with fewer than 50 beds - were far less likely to have implemented multifactor authentication.
Regardless of size, organizations reported little adoption of adaptive/risk-based authentication, which requires additional verification based on the risk level of the action being attempted.
Data Loss Prevention: DLP solutions have been widely adopted, although deployment of on-premises DLP solutions has slowed as organizations have transitioned to the cloud. Organizations indicate they are more likely to back up data in a physical location than to use cloud backup services. Very few small organizations report using data or infrastructure as a service. While midsize and large organizations are more likely to use these services, adoption is still limited.
Network Access Control: Most organizations say they have implemented network access control solutions to monitor devices that connect to their networks. Less than half of small organizations, however, say they are using network segmentation to control the spread of malware. Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Smaller organizations more frequently turn to penetration testing to identify vulnerabilities.
Incident Response: Most organizations say they have an incident response plan in place and participate in an information sharing and analysis organization. However, only half of organizations report they conduct an annual enterprisewide exercise to test their incident response plan.
Medical Devices: Medical device security remains a top concern for organizations, especially as they weigh patient safety risks. But many organizations report that their medical device security programs are supported by cybersecurity practices in other IT areas, including endpoint protection, IAM, asset management, network management and vulnerability management.
Large organizations are more likely to have invested in technology to support their medical device security programs. And many organizations of all sizes report they haven't formalized internal ownership of medical device security and are just beginning to bring security into the medical device procurement process, including pre-purchase risk assessments, software bills of materials and patching provisions.
Governance: Small organizations are less likely to use some basic cybersecurity policies, such as having a dedicated CISO; implementing a formal governance, risk management, and compliance program; and instituting policies for bring-your-own-device management.
Glimmers of Hope?
While the CHIME/KLAS findings seem to show that many healthcare organizations are indeed making the effort to improve their cybersecurity posture, many gaps obviously still need to be filled - especially at smaller organizations.
So, what's at the top of your organization's best practice priority list for the second half of 2019?