U.S. hospitals and health systems are woefully unprepared for the intensifying cybersecurity threats facing them, the annual report of the Austin, Texas-based CynergisTek consulting firm has found.
Indeed, CynergisTek’s leaders, in their fourth annual report on the state of U.S. health system cybersecurity preparedness, entitled “Maturity Paradox: New World, New Threats, New Focus,” found in their analysis that fully 64 percent of organizations were below an 80-percent level of preparedness.
A press release published to the company’s website on July 27 stated that “[M]ost hospitals critically lack the ability to secure their supply chain systems.” For the report, CynergisTek professionals reviewed just under 100 assessments of healthcare providers across the healthcare system, including hospitals, physician practices, accountable care organizations, and business-associate organizations. “These assessments measure organizations’ security posture against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), a standardized framework first published in 2014 intended to help protect American critical infrastructure,” the press release noted.
Further, it noted, “Assessments were categorized into two cohorts: high performers with NIST conformance scores over 80% and low performers with conformance scores under 80 percent. CynergisTek’s 2021 report focuses on the industry’s overall status in cybersecurity preparedness, with 64 percent of organizations below 80 percent conformance. The report identified several areas for continued improvement in planning and preparedness, especially seeing as only 75% improved during the coronavirus pandemic – even then only slightly. While that is progress, it isn’t the progress the industry needs to shore up defenses. Investing in security, in the long run, is often ultimately more cost effective than paying the recent exorbitant ransoms.”
“The past year has been arguably the most trying on the U.S. and global healthcare systems. We saw cybercriminals attack hospitals and healthcare institutions when they were at their most vulnerable – the industry made it through, granted with some bumps and bruises,” said David Finn, EVP at CynergisTek, in a statement contained in the press release. “It is the responsibility now – of stakeholders, C-suite, IT managers, and anyone involved in protecting our healthcare system – to ensure that patient care remains resilient even in an environment with growing cyberattacks. The report demonstrates there is work to be done, but there are also immediate opportunities to shore up risk management practices.”
The report found that, “Overall, supply chain management was the second lowest-scoring and least mature category assessed. Even among high-performing organizations that have significantly improved over the past four years, scores averaged 2.7 out of 5, reflecting a universal challenge that companies face in identifying and addressing risks across their supply chains. With an acceptable score above a 3, only 23% of organizations passed on supply chain security – and barely – not even high performers achieved above a 3,” the press release stated. “In particular, CynergisTek found that organizations struggle to validate whether third-party partners are meeting contractual security obligations. Given recent attacks on these critical third parties and suppliers – ranging from SolarWinds to Microsoft Exchange – and given the decentralized nature of global supply chains, it is imperative for organizations to dedicate time and resources to supply chain security before risks expand exponentially.”
The full report can be accessed here.
Shortly after the report’s release, David Finn spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding its implications for the industry. Below are excerpts from that interview.
Sixty-four percent of organizations fell below a passing grade for cybersecurity preparation, according to your team’s analysis. What does that say?
It’s kind of odd—the first thing we found when we looked at the raw numbers is that overall improvement was huge—it had gone up fifteen percent. What we found was… we usually had done three-hundred assessments for a little over one-hundred customers. The number of assessments we did had dropped by about twenty percent in twenty-twenty. They focused on other security work. So what had happened was that they were throwing money and resources at the most urgent things. And when you look at last year, everyone was being thrown into remote work; and so customers were doing things that had to get done in the emergency, rather than assessments.
So we decided we couldn’t do an apples-to-apples comparison. So we dug into the subcategories, and that’s where it got really interesting. For example, there are the five key elements—identify, protect, detect, respond, and recover. And then within each of those core elements are a series of categories; for instance, “identify” has six categories. And each of those categories will have between two and twelve subcategories. So we started looking at asset management, which is simply understanding where your devices and data are. But when we started to dig into the subcategories, we found that seventy-three percent of the sector falls into low performance, meaning under eighty percent of performance, meaning they don’t know where their data is or where their devices, particularly their medical devices, are.
And then we got into asset management and looked at governance, and found we’re doing a pretty good job of governance, knowing who does what in the organization. That’s doing pretty well. But if you don’t know where the assets are, it probably doesn’t help you if you have governance.
The issues I would call out would include asset management; if you don’t know what you have or where it is, you’re not going to do well. It’s the first step in the NIST framework, and to know that seventy-three percent of our customers are failing to meet that, it’s not a good start.
And because of what happened last year, NIST added supply chain risk management about three years ago, and we’ve been doing supply chain risk management assessment for a while. So eleven of our seventy-eight customers achieved a score of three-point-zero out of five, meaning that they’re actually beginning to do that. It’s kind of like a “C” grade. And only eleven of the seventy-eight achieved that; everyone else got a D or an F.
What are the absolutely key things that patient care organization leaders need to nail down right now?
The first thing here is that we have to take security seriously, and I’ve been saying this for twenty-some years now. If twenty-twenty hadn’t done it, people should understand that security and privacy aren’t just elements of your business, they are your business. And this isn’t just healthcare; we’ve seen pipelines, meat processing plants, schools, and all sorts of businesses get hit. I just read a stat on January twenty-sixteen through December twenty-twenty. Four-thousand daily ransomware attacks in the U.S. And we’re still not preparing for it. You just need to be ready all the time.
And when you see issues like SolarWinds, where your security vendors are getting it, it’s really frightening. And at the beginning of COVID, we saw the supply chain issues. And people couldn’t get PPE or ventilators, and no one had backups. No one had a plan B. And with what’s been going on, now, you’d better be ready with plans C and D, not just plan B.
And the bad guys are moving faster and smarter, right?
Yes. And healthcare organizations don’t have excess money, but they have one of the most complicated supply chains anywhere. And organizations need to start uncomplicating their supply chains. People need to think about their supply chain not as an adjunct to their business, but as an integral part—not just from a security perspective, but from an operational perspective. It is part of your business, and you’d better treat your partners that way, and have plans. We need to include our business partners and supply chain in all our security planning; it starts at the beginning. And you’ve got to take a risk-based approach. And some are critical to your operations, and very few organizations are thinking like that.