It was great—as always—to speak a couple of weeks ago with David Finn, the executive vice president of strategic innovation at the Austin, Texas-based CynergisTek cybersecurity consulting firm. David always has tremendous insights to share regarding the current issues and trends in the healthcare cybersecurity sphere. And we spoke following the release of CynergisTek’s annual report last month.
And that report itself really was worth noting. CynergisTek’s leaders decided this year to focus on what’s not happening, David noted in his interview with me. Thus, as I wrote last week in summarizing the report’s findings:
“Hospital-based organizations remain highly susceptible to cyberattacks, and in fact, in certain respects, are falling behind, as the threats to patient care organizations nationwide are only increasing and intensifying almost daily now. Those are some of the core conclusions of a report on cybersecurity preparedness released late last month by the Austin, Texas-based CynergisTek consulting firm. Indeed, the report stated, among other findings, that:
Ø Only 44 percent of providers across the continuum (e.g., hospital and health systems) conformed to the protocols of the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce
Ø Healthcare supply chain security is one of the lowest ranked areas for NIST CSF
Ø COVID-19 demonstrated how broken the healthcare supply chain is with providers buying PPE from unvetted suppliers
Ø The report also revealed bigger healthcare institutions with bigger budgets didn't necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less.
As CynergisTek’s leaders note in their introduction to the report, entitled, “Moving Forward: Setting the Direction,” “In our third annual report “Moving Forward: Setting the Direction,” we evaluate the state of security in healthcare utilizing NIST CSF and compare it against 3-years’ worth of historical client data,” they wrote, referring to the Cybersecurity Framework created and maintained by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.
The report focuses on three key areas that CynergisTek’s leaders believe are exceptionally important in the current moment.
“First,” they wrote, “scores overall are down when looking at NIST CSF. Only scores for conformance with the HIPAA Security Rule were up by 1 percent from 2018 (75 percent) to 76 percent in 2019 and up from 70 percent in 2017. A reasonable improvement over 3 years but slowing significantly from 2018 to 2019. In terms of NIST CSF with the full use of NIST CSF 1.1 for our assessments in 2019, we expected some decline in those scores due to the changes in managing cybersecurity within the Supply Chain (1 new category in the Identify Function). NIST CSF 1.1 also introduced 10 new sub-categories in the Identify, Protect, and Respond Functions. Unfortunately, scores declined in all Functions except Detect which remained at an average score of 2.1 across all three years,” they wrote.
“And finally, the industry may be too focused on getting good grades rather than reducing risk. While comparisons to others in the industry are important and help you understand where you stand and where others are focusing, they don’t reduce your risk or protect you. This is not about the scores. Cybersecurity is about risk management — at the enterprise level, not just IT and Security risks. That is really what the HIPAA Security Rule was about — not getting ‘compliant’ (because there is no such thing) but building an on-going risk management process. Looking at a neighboring facility or even across the sector and saying ‘we’ve done enough’ is dangerous. This isn’t a matter of running faster than your friend like in the old joke where two men are running and one them says to the other: ‘I don’t have to run faster than the bear. I just have to run faster than you.’ The cyber-criminal isn’t just looking for a snack, he/she will target specific institutions, data and people and will change course or shift approaches faster than a bear can. In other words, in cybersecurity, if you are not improving, you are falling behind in managing your risks — the bad guys keep getting better, the technology more complex and more of it is being deployed.”
Meanwhile, when it comes to advice for the IT security leaders in patient care organizations, CynergisTek’s leaders offered several key pieces of advice, namely these:
Ø When it comes to cybersecurity, it’s all about rinse, repeat, and repeat again! Organizations that had a regular risk assessment and prioritized remediating the outcomes/insights learned from those assessments, and then dedicated staff, organizational support, and effort to the prioritized targets had significant improvement on their NIST CSF conformance and score.
Ø Attackers are pivoting and the attack surface is expanding.
Ø New rules are and will complicate healthcare and security. When it comes to interoperability, information blocking, state privacy laws and adjacent sectors, we just haven’t moved far enough beyond COVID-19 or adopted interoperability to adequately focus on it. However, it is coming and it won’t be as simple as it seems.
Ø Talking (or planning) is not doing. Organizations that simply did assessments but did not plan and act on their assessment findings stayed flat or lost ground.
And the Sep. 17 press release announcing the release of the report quoted Caleb Barlow, president and CEO of CynergisTek, as saying that “We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary. These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system. However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
As David noted in our interview two weeks ago, “The annual report for us really is a survey of the assessments we’ve done in the past 12 months. We were a little bit surprised, because we discovered NIST’s CSF scores are down across the board. We expected with NIST’s new version of CSF scores that we’d see declines in certain areas, but frankly, they’re across the board. And when organizations stopped being very rigorous, they slid backwards. If they were not making changes and adjustments in near-real time we found that they were actually losing ground. We also found that a lot of organizations have been too focused on their scores, and not as focused on what’s important, which is reducing risks. It goes back to the old check-box mentality.”
What’s more, David noted to me the contradictory nature of the policy landscape right now, as “[T]he interoperability and information-blocking rules now actually require more information-sharing. So it’s a difficult moment, and it’s also a different world now, everything’s changed. And we have to rethink everything in terms of security and privacy. And we’ve long known that security work can disrupt clinical workflows; but during COVID-19, we’ve found that changes in clinical workflows can disrupt security. We’re really going to have to bring the clinicians to the table, figure out what we need to know, and build security into clinical workflows.”
And that seems to be at the nut of all of this. As we shift further into the value-based care delivery and payment world, and, as we try to move forward through and out of the COVID-19 pandemic, data- and information-sharing will be more important than ever. And yet the cybersecurity risks are only growing by the day now.
What seems obvious is that the cybersecurity divide continues to grow, between those organizations that are sufficiently financial resourced and those that aren’t. The better-resourced patient care organizations can afford to do several things: they can hire CISOs and teams to work under and with their CISOs; they can invest in behavioral monitoring capabilities; they can do far more comprehensive network segmentation; and they can hire external SOCs (security operations centers) to help them with a lot of essential tasks that are difficult to manage and execute on in smaller internal departments. And yet, and yet, and yet: the larger patient care organizations studied by the CynergisTek people didn’t necessarily perform better than the smaller, more poorly resourced patient care organizations, and in some cases, actually performed worse.
Meanwhile, the threats are only accelerating and intensifying now. So this really does seem like a pivotal moment in the cybersecurity sphere—which is why the CynergisTek folks decided to focus this year on what isn’t getting done. As David Finn told me, “One thing we’ve seen historically, and now they’re probably even more overwhelmed—they do their annual risk assessment, and end up with their list of 100 things, and they either are overwhelmed, and consequently, nothing gets done; or they prioritize those lists, and say we’ll work on three items and engage everyone. But when we dug into the organizations that had made progress and then slipped back, the ones that did well took an enterprise risk management approach. We need to realize that it’s a journey, not a destination.”
