Where do provider organizations stand today in their adoption of best practices, around 10 overarching cybersecurity practices? The Orem, Utah-based KLAS Research and the Ann Arbor, Michigan-based College of Healthcare Information Management Executives (CHIME) on June 28 released a report that offers a view of the current landscape around cybersecurity practices, focusing on the HHS (Department of Health and Human Services) Task Group’s set of cybersecurity practices, and in conjunction to CHIME’s “Most Wired” program.
As a press release published jointly by KLAS and CHIME on Friday morning noted, “Many organizations that participated in the CHIME HealthCare’s Most Wired program in 2018 reported they follow cybersecurity practices recommended by a federally convened task group of private and public cybersecurity leaders, according to research released today by CHIME and KLAS Research. The task group, called for in Section 405(d) of the Cybersecurity Act of 2015, published their recommendations in HICP (“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”) at the end of 2018.”
In that context, the press release noted, “HICP lists 10 overarching cybersecurity practices that the task group determined organizations of all sizes, from local clinics to large healthcare systems, should follow. These include email protection systems, endpoint protection systems, access management, data protection and loss prevention, network management, vulnerability management, incident response, medical device security and cybersecurity policies. An analysis of responses in the 2018 Most Wired survey was published today as a CHIME-KLAS white paper, “How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?” The whitepaper reports that while many providers have adopted guidelines outlined in HICP, there was room for improvement, especially among smaller organizations.”
In preparing the report, KLAS and CHIME analyzed responses from the 600+ healthcare organizations that participated in the 2018 Healthcare’s Most Wired survey. Though that survey and the HICP guidelines do not overlap in every regard, this white paper explores adoption of those HICP guidelines that were measured by the Most Wired survey. This analysis was augmented by provider commentary and data collected by KLAS via other research efforts.
Among the key findings of the Most Wired survey:
Ø Regardless of size, most organizations have deployed email and endpoint protection systems, establishing a initial layer of defense against internal and external threats.
Ø Many organizations are transitioning from homegrown identity and access management (IAM) solutions to commercial solutions to support their identity policies. Multifactor authentication (MFA) remains a gap for half of small organizations.
Ø Data-loss prevention (DLP) solutions have been widely adopted, though deployment of on-premises DLP solutions has slowed, as organizations have transitioned to the cloud.
Ø Today’s security requirements are challenging historical asset management practices.
Ø Most organizations have network access control (NAC) solutions to monitor devices that connect to their networks; however, less than half of small organizations are using network segmentation to control the spread of infections.
Ø Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Small organizations more frequently turn to penetration testing to identify vulnerabilities.
“CHIME’s goal with Most Wired is to improve patient safety and outcomes around the world by identifying best practices and sharing that knowledge across our industry,” said Russell Branzell, CHIME’s president and CEO, in a statement in the press release. “Working with KLAS, we are able to use this amazing resource to benchmark the current state of the industry and highlight strengths and gaps. HICP provides a perfect opportunity to see how far we have progressed and where we need to go in cybersecurity.”
“This report is a wake-up call and road map to identifying cybersecurity vulnerabilities for healthcare providers, and highlighting where specific progress needs to be made,” said Adam Gale, president of KLAS. “CHIME is playing a critical role in monitoring and promoting adoption of HICP recommendations.”
The CHIME-KLAS white paper also found many organizations have an incident-response plan, but only half conduct an annual enterprise-wide exercise to test the plan. For medical device security, some large organizations report investing in supporting technologies while small organizations say they have strong internal processes. Small organizations are less likely to use cybersecurity policies, and small and medium organizations are four times less likely to have a CISO than large organizations.
