New Report Looks at Cybersecurity Preparedness

Feb. 29, 2024
A new report published by a collaborative of organizations looks at current levels of cybersecurity preparedness

How far have patient care organizations really gotten in terms of evolving forward their cybersecurity strategies? A report collectively produced by Censinet, KLAS Research, the American Hospital Association, Health-IASAC, and the Healthcare and Public Health Sector Coordinating Council, is providing a snapshot.

“Current and Emerging Healthcare Cyber Threat Landscape: Executive Summary for CISOs,” was published on Feb. 29. The report begins thus: “With cyberattacks on the rise, having a strong cybersecurity strategy is a must for healthcare organizations, especially as they face post-pandemic resource constraints and staffing shortages. Many are protecting their data by adopting and implementing cybersecurity frameworks and best practices, such as the NIST Cybersecurity Framework (NIST CSF) and the Health Industry Cybersecurity Practices (HICP). NIST CSF and HICP are accessible resources for healthcare organizations, and high NIST CSF and HICP coverage is a strong indication of cybersecurity preparedness. This report—a collaboration between Censinet, KLAS, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council—provides an update to previous research on the status of healthcare cybersecurity preparedness. It also examines the effect of governance and resource investment on cybersecurity preparedness and insurance premiums. Data for this report comes from 58 respondents (54 payer or provider organizations and 4 healthcare vendors) who were interviewed September–December 2023.”

An absolutely key question: which cybersecurity frameworks and guidelines have patient care organizations implemented? They are as follows (most have implemented more than one)? NIST CSF, 57 percent; CIS Controls, 29 percent; HICP, 29 percent; HITRUST, 14 percent; NIST CSF (not used as the primary cybersecurity framework): 14 percent; ISO/IEC 27001, 10 percent; SOC 2, 9 percent; ISO/IEC 27002, 5 percent; CMMC, 3 percent; other frameworks/guidelines, 22 percent; no frameworks/guidelines, 10 percent.

Asked about their coverage across their organizations along various dimensions, the following were the results with regard to maturity with NIST CSF functions: “identify,” 65 percent; “protect,” 70 percent; “detect,” 70 percent; “respond,” 75 percent; “recover,” 69 percent;

When it comes to maturity with HICP functions, the survey found the following results: “email protection systems,” 84 percent; “cybersecurity oversight and governance,” 83 percent; “access management,” 79 percent; “vulnerability management,” 77 percent; ‘Incident response,” 71 percent; “asset management,” 70 percent; “endpoint protection systems,” 69 percent; “network management,” 67 percent; “data protection and loss prevention,” 60 percent; and “medical device security,” 50 percent.

Importantly, the report notes, “On average, respondent organizations who adopt NIST CSF have lower year-over-year increases to their cybersecurity insurance premiums. In particular, those using NIST CSF as their primary cybersecurity framework report premium increases one-third the percentage reported by non-NIST CSF organizations. Higher coverage within the NIST CSF categories related to cyber resiliency is especially correlated with lower increases in cybersecurity premiums. Focusing on these areas helps organizations mitigate the impact of breaches on patient care and safety and maintain business continuity.”

The full report can be found here.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?